Win32/Cryptor
Win32/Cryptor is a harmful computer Trojan that can further infect computer by downloading and installing additional malware threats on to the compromised computer. Users can acquire Win32/Cryptor without a knowledge by visiting malicious web sites or downloading and installing contracted software from third party web sites. This virus has rootkit functionalities that can hide itself from system and antivirus programs.
Computers who got infected with Win32/Cryptor will have difficulty accessing the Internet. Win32/Cryptor can also prevent the computer from executing security programs and various installed applications.
Aliases:
-
Risk Level: High
File Size: Varies
Affected System: Windows
Related posts:
- Win32/Heur
Win32/Heur is a generic detection for Trojan that is capable of spreading itself on local and network drives. Win32/Heur is also...
- Worm.Win32.Netbooster
Updated: September 20, 2008 Worm.Win32.Netbooster is a worm that was used to promote rogue security programs. It will display as a...
- Trojan.Win32.Obfuscated.gx
Trojan.Win32.Obfuscated.gx is a threat detected if the computer is infected with variant of Trojan.Zlob. This threat is displayed purposely to convinced...
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.
Note: Win32/Cryptor may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
Have you guys updated malwarebytes before doing the scan? Other recommended tools I can see is Smitfraud and DrWeb Cureit.
http://www.precisesecurity.com/tools-resources/adware-tools/smitfraudfix/
I’m in a pretty similar position to Deanna, AVG finds it but can’t fully remove it. Sadly the virus got the best of my main hard drive too. I bought a new 1TB HDD, slapped on xp and tried to recover any data I could, but they’d all been reduced to ‘file types’, my HDD read with a capacity of 10mb with 3 gig free. So i’ve lost it all and i’m getting nervous that my 2 data drives are in similar shape.
If the virus affects your computer such that you can’t access the HDDs from My Computer unless you type in the drive letter into the directory, then don’t assume that repairing a boot sector will help. I naively thought this was the case, repaired and then lost my NTLDR, which is virtually irreplaceable unless you want to do some ghosting.
Gonna try to rescue what I can to my new HDD now and format to start fresh with what data I have. Fingers crossed there’s no infected files.
ive had this thing for 2 months and couldnt get it off. i couldnt updat anything on AVG 8.0 because of it. but what webmaster said to do worked for me.
i downloaded malwarebytes and it wont start on my computer, i can not get it to open.
i tried to download the programme the webmaster recommends to no avail the virus seems to redirect me when i click the download link
AVG detects it, malwarebytes does not… but the funny thing is, when i ran malwarebytes, it detected 11 other virus’s that AVG never told me about. So i removed them all and restarted, but those two were still there.
Now it’s playing with my DHCP client and every now and then screwing up my internet all together. Also, i tried the safe mode thing, AVG doesnt run in safe mode…
This is really getting to me, as this is a practically new computer, somebode please suggest something to those that aren’t getting results from the rest of these suggestions. Thanks in advance
taylor, same happened to me.
reinstall modem software.
It’s just really annoying that i’ve done the same exact things that have worked for other people, but the virus’s are still there, and they seem to effect my computer more and more everytime i try to get rid of them. Now my comp is blue screening, and when i start it up, its hit or miss whether or not i can even get it to do what i want it to do. I’m really frustrated and i don’t have the money to pay some random guy to do something i’m pretty sure with the right program, i could do myself. =(
by the way, chaz, right click malwarebytes, open file location, and on every file that’s an application (.exe) right click it, go to the “compatibility” tab, and check the first box which should say “run this program in compatibility mode for…”
and you have to do that for every application
but malwarebytes won’t detect this virus
wooowww…
i did what helms said and i have to say, i don’t know why i didn’t try it before
the virus is completely gone, my DHCP client works as it should, AVG can update once again, and my computer is running like it used to
everybody should do system restore to the day before the virus was detected, this is literally the only thing that worked
thanks helms!!
good luck everyone
I have all the same problems as Taylor. Of course, this nasty little thing has removed all my restore points. Also, when I do try to restore back two days ago “DATA CORRUPTED” AVG doesn’t help, or Malware. DHCP fails after 10-15 of internet connection.
Just got infected yesterday and could tell that my browser searches were being hijacked.
From windows, I tried the latest versions of Malware Bytes, AVG Free, SpyBot S&D, Avast, TrendMicro Internet Security, RUBotted & House Call. All gave me a completely clean bill of health, nothing more than a couple tracking cookies.
Rebooted into Safe Mode, and ran AVG Free 8.5, which identified and moved several files to the virus vault, but Windows wouldn’t boot afterwards. Manually restored affected Windows OS files (which had been moved to AVG virus vault), and I’m back to normal.
Note that, at least in my case, the following Windows OS files were all infected: winlogon.exe, services.exe, lsass.exe, svchost.exe, explorer.exe, and taskmgr.exe. Also infected were AVG files AVGui.exe, AVGscanx.exe, and AVGsrvx.exe as well as an Intel file IgfxSrvc.exe, and one other file which I didn’t find on Google called UACmntteaiy.dll, and if it were a Vista machine, I might guess that UAC stood for User Account Control, except this was an XP machine, so I don’t know.
i just did a scan and this was detected on avg free, i reckon if you make sure your virus definitions are up to date avg should find it and zap it.
I noticed the same thing as Larry. I am curious what these files are since I’m running XP on this machine, and UAC is not included in XP.
” the following Windows OS files were all infected: winlogon.exe, services.exe, lsass.exe, svchost.exe, explorer.exe, and taskmgr.exe. Also infected were AVG files AVGui.exe, AVGscanx.exe, and AVGsrvx.exe as well as an Intel file IgfxSrvc.exe, and one other file which I didn’t find on Google called UACmntteaiy.dll, and if it were a Vista machine, I might guess that UAC stood for User Account Control, except this was an XP machine, so I don’t know.”
Also before I make my machine un-bootable, will it clean these files, or just delete all infected files? Because I doubt my OS will boot without winlogon.exe, services.exe, lsass.exe, svchost.exe, explorer.exe, or taskmgr.exe Take your pick, I don’t think it will boot with ANY of the above files deleted.
I read Larry’s post this morning and considered that better make a couple of CD’s before proceeding. 1. Ultimate Boot CD for Windows and 2. the files needing to be replaced. This seems a bit off given the fact that my wifes computer is the only window system we have and I am concerned that the system I am pulling binaries from might not sync up …
I would also like to add to Larry’s post the fact that
1. I was unable to install and run any A/V packages from standard or safe modes. They all were running in taskmgr and doing nothing. I don’t remember how I managed to get AVG free to install on the system.
2. The machine would randomly lock up within at least 5 minutes.
3. AVG Free reported that the system passed and Panda Online saw the issue with UACmntteaiy.dll that did not seem to exist.
4. The trick for me was to use safe mode without networking and logged in as Administrator. It was then that AVG started finding and quarantining the file list Larry described.
We’ll see how the rest of this painful procedure goes …
1) AVG, Superantispyware or Malware bytes were unable to clean the virus off my disk (with WinXP pro).
2) They however find the responsible virus files: agvykep.dll, agvykep.dll.bak and ggfthrb.dll (in Windows/System32/) – they had all the same size of 103 kB, on your system they can have different names, but should have the same size. Writedown the names of the virus files reported by your antispyware software.
Sort files by size in Windows/System32 folder and check that even after antispyware report that it cleaned the infection after reboot these files are still undeleted = virus keeps on surviving the cleaning.
3) These files are unable to be deleted in any way, nor by Unlocker, nor in Safe mode.
4) The only way that worked for me was as follows:
a) Boot system from the original Windows CD.
b) Choose R for Recovery Console
c) Use Command Line to go to the folder Windows/System32/ (CD.. to get to the required folder), where the files are and use DEL yourfilename.dll (2 files) + DEL yourfilename.dll.bak (1 file) to delete them manually. (It works because the virus files are not loaded and locked and you can delete files with no problem.)
d) Remove CD from drive and then reboot into Safe mode – use antispyware software to get rid of the resting 4 virus keys in the registry. Reboot
Now it should be clean. Because this virus deletes all restore points, but the one from the day when it was caught, you can also turn the resore point function OFF (to delete the ones with the virus) and then ON in order to have only clean restore point from the date of the virus removal.
Thanks RR! I have exactly the same problem, none of the antivirus software mentioned above worked, can’t restore the system back to the clean state (click the next, computer does nothing). I’m going to try what you suggested here. But I don’t understand your last paragraph. Could you elaborate it further? Thanks!
Also, I think my infected files are Windows system files. If I delete them, what if Windows can’t start any more?
The Cryptor virus has quickly morphed into a nasty little problem. The genius mind that is being wasted creating this crud is using a classic roadblock technique, similar to the Smitfraud-type “XP Antivirus 2009″ of last fall. Each avenue found to be successful in overcoming the infection is disabled or interfered with in some way, so as to make removal of the “improved” version progressively more and more difficult.
I successfully removed Cryptor from a client’s laptop yesterday and I see lots of others are stuck, so here goes . . .
Platform was XP Home SP3. The client had McAfee and Malwarebytes, and both seemed to be properly installed, updated and functional prior to infection. Windows patches were also up to date. I set up this machine myself, about 6 months ago.
Upon infection, Malwarebytes was instantly disabled. Very cleverly done – double click on it, an hourglass appears briefly, then disappears . . . . and then absolutely nothing happens. A brand-new executable of the program was downloaded, and found to be similarly useless – it gave an error relating to a violation of administrator policy . . hehe . . . I was logged in as administrator. I explored the policy editor snap-in via command console, and found nothing awry.
I tried to install SuperAntispyware, which is great against Cryptor’s rootkit-type mechanism, but the bug blocked the installation with a bogus Windows error message.
Windows installer was still fully functional for installation of other programs, but the installation of Malwarebytes and SuperAntispyware were both completely disabled.
All boot modes were accessible, but installation of the two programs it “knew” could get it was impossible in any of them. Very clever . . . and very frustrating.
System restore came up in all modes, including command line. It also showed all previous restore points as valid, but any attempt to restore the machine to any of them resulted in a similarly frustrating dead end. On execution of the restoration, the machine just sits there and does absolutely nothing.
I jumped online (with the infected machine) and purchased a one-year license for PreVX Edge 3.0 – it walked me thru installation, definition update, disabling network and antivirus during removal, and the the scan (which took less than seven minutes). It found the virus had multiplied code into hundreds of locations – the tips of the root system. Then it automatically rebooted the machine and completed the rip-up of the rootkit.
On reboot, Malwarebytes had been restored to complete functionality. I was able to immediately download it’s current definition file and run a complete scan, which quickly located and fried the central components (about 6 files located in the system32 folder). Functionality of SuperAntispyware was restored also. I installed, updated and scanned with it normally. I continued to run scans with PreVX, Malwarebytes and Superantispyware in succession until everything reported back as clean.
My own personal machines are running AVG Free 8.5 and PreVX Edge 3.0 simultaneously with no interference. SuperAntispyware is heavy on system resources, so I have it installed – but it only runs manually when I chose to, about once a week.
Anyone who has Cryptor or other entrenched rootkits on their machine will do well to pay 30 bucks for PreVX. It will removes infections quickly and easily, and provides excellent real-time protection against Cryptor and it’s ilk in the future. I’m sure there is some complicated technical solution here also, but this is what worked for me. Hope it helps others too. ~greg
I got infected too.. I only have installed AVG and Nod32 which didnt find anything and I cant install any other programs. Right now I dont have the Windows CD with me and AVG just detects the Cryptor virus but doesnt delete it, what else can I do? please help I have a lot of very important archives here and cant lose them.. btw my computer doesnt detect the usb drives
WEBMASTERS # 1 COMMENT worked perfect for me. I had this Win32/Cryptor running in about 6 different windows system processes and could not get rid of this nasty lil virus. I downloaded Malwarebytes’ Anti-Malware… followed webmaters directions to a “T” and it worked like a charm. I will be keeping this great program in my spyware / malware arsenal. This program picked up 14 more threats that S&D Spybot and Adaware didn’t pick up. My computers running great and as fast as ever… THANKS for the most helpful information!!
Thanks Greg, for detailed informercial :-)!
Actually I got the help from the great team in Geekpolice.net. They walked me through every step of the way to completely clean up my system. And it’s absolutely free! Just remember to publicize their service and make any donation if you feel like. For the quality service I received I will definitely do that. XXVII, go and check it out, and report it back here to help others.
Hey I finally got rid of that virus!! here are some tips:
* Run AVG to detect the Virus
* Rename the Malwarebyte´s setup name before you download it
* If Malwarebytes installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes’ AntiMalware
and rename all the .exe files in the MAlwarebytes’ Anti-Malware folder and try to run it again.
* Follow all the steps from the first post
* Then download SUPERAntiSpyware and run a full scan to kill all Cryptor´s family
* Run again AVG and do another scan and the virus should be gone!
After killing the virus I still had my USB problems so I uninstall my NOD32 antivirus that didnt help me this time and my USB ports came back to life! so I think I will just keep in my arsenal AVG and AntiMalware and maybe the SUPERAntiSpyware too just in case..
Thank you a lot for u help guys but I hope I dont have to see you again anymore.. haha see ya
What is the likelihood that a computer infected with the virus sent e-mails out with attachments would infect those computers that received the e-mail attachment?
I just followed XXXI’s instructions (about renaming the Malwarebyte .exe files) and I was actually able to use the program. I’m pretty certain the virus is gone from my computer.
I no longer get the random pop-ups, and when I search for win32 cryptor removal, the search engine actually works for me. Thanks so much!
APLUSTECH #27 solution nailed the win32 cyptor just like he said. Everything is finally clean thanks to him and prevx edge 3.0. So far everything is finally gone, best $30 I spent. Thx Greg.
XXXI instructions work like a charm(Post #31). Thanks!!!
+1 to XIII’s Solution (#31). This worked a treat. Thanks a lot for posting! P.s my usb’s were also messed up however removing the virus cleared the problem up thank god!
*My main suggestion, if all else fails, is at the very bottom.*
I had tried many of these ways, but couldn’t get free versions of anything to fully download. I finally emailed Microsoft and AVG (I have the paid version) and they both were working on my problems, when one day I had big updates on my computer and when I turned it back on it took 30 minutes to boot up as it was doing some scan. Some of the Win32 family was found and removed, but not Cryptor.
I then followed XXXI’s suggestion as I was now able to run free versions of anti-spyware and ran Mal, then Super, then a full AVG scan, then ran AVG the next day, then the next. My computer still has minor issues and it’s 3 years old, but it has killed the Win32 family and no anti-spyware program detects anything anymore!
My suggestion is to email your virus provider and have them do an analysis of your computer. AVG did that for me. Also, have patience as killing these things isn’t instant.
Cryptor has completely disabled my computer. I had AVG 8.5 installed to begin with and it found it but couldn’t do anything about it. Tried the scan in safe mode to no avail. Now I can’t get on the internet bc it wont let me open a browser so I downloaded the Malwarebytes onto a flash drive. I can open the flash drive, but it will not let me transfer the file onto the hard drive. It doesn’t matter what it’s named, it won’t allow any downloads of any files. System restore is disabled. I tried manually deleting the affected files and it won’t allow any deletions. I’m considering hurling the thing out the window, but I don’t want to harm an innocent bystander:(
i had this virus and none of the above suggestions would work for me, so if you are in that situation too i suggest you use pc tools spyware doctor. i paid for it but i think there is a way to get it free from gmail, you can download a ‘pack’ or something. i couldn’t figure out how to do it so i’m sorry i can’t give instructions but if i do figure it out i will come back on here and say. but yeah, that’s your program, cleared everything up fine for me!!
yeah just go to pack.google.com and there is a list of software you can download, spyware doctor is one of them and its free :)
One note to XXXI’s post.
If renaming the .exe files still doesn’t allow you to launch the executible try checking the properties of the mbam.exe (now renamed) and use the compatability tab. I set it to be compatable for Windows 98/ME and retried the .exe. Worked like a charm.
Can plugging my MP3 player into the usb to charge the battery infect the player? I’ve been trying to get rid of the virus for a day now but haven’t been successful yet. I plugged in my Mp3 player to charge it without really thinking that it could harm it, but now when I use it the sound is sorta messed up.
To Lyn:
Yes. If your mp3 player is the type that acts the same as a Flashdrive (AKA thumbstick, thumbdrive, USB stick, etc) then YES it can get infected!
hey i have read about every comment so check it:
this virus acts close to the Sircam virus
step one (if you can): run avg 8
if you cant get avg to open go to run:
cmd
C:\windows\system or C:\winnt\system32
type ATTRIB -S -H -R Scam32.exe
(even if you don’t have the sircam virus)
this pulls the virus to the surface of your comp and shows the virus tendances, dont freak out, now you should be able to run avg
reboot
run malware
reboot
run spybot s&d
reboot
you should be clean
XIII’s Solution worked great but needed to run superantispyware a number of times to cure the computer.
The best thing is the fix is free
I have been studying and following all of the courses of action that everyone here has been talking about. I have Vista. I had to have someone send me AVG zipped through email. I had to rename Malwarebytes over and over, changing paths and ran them repeatedly in safe mode, to no avail. When it finally ran clean, the virus was still there. SuperAnti-Spyware picked up a lot of things that Ad-aware did not. Malwarebytes picked up things that AVG did not. Glary Registry Repair is useless compared to CCleaner. Trend Micro’s “House Call” was useless.. passing by my Windows system 32 folder with no objects found. I finally found prevX, it highlighted 3 problems, AVG was only finding 2. It prompted me to pay for a year at the rate of $24.95/month for which I angrily slapped down my Visa card number. But it’s gone – all scans are coming back clean, my firewall remains on after booting up, and no warnings opening firefox.
Like RR said in post dated March 30, 2009 at 2:48 pm, worked for me too. First my AVG was popping up every minute cause it find cryptor in windowst/system 32 and it was same file every time. The easiest way to remove is to restart the computer, choose recovery console and then go to directory windows/system 32 and delete the file and its .bak copy. That’s easiest way if spywares don’t detect virus. AVG detects it but can’t remove it.
I got it a couple of days ago and I am new to Vista so I wanted to repartition the drive to back up my 45gigs of music and 12gigs of pics and other assorted crap. Went to walmart and picked up a 250gb external drive for $70, backed everything up and ran the system recovery… only after Malwarebytes Anti-Malware, AVG, IoBit Advanced System Care, Regedit FAILED!.
First F-ING virus in 10 years…if someone knows who created this crap let me know…I wanna beat them senseless. I have had to reformat due to my own mistakes in the past but not cause of anyone else.
I am back up and running now and still not happy the amount of work I had to do to get here.
I have to say a great “thank you” to this forum.
My notebook has been infected by Cryptor, and it didn’t run correctly for a couple of days: re-start computer without any advise, PC blocked, no safe boot, etc. I have AVG antivirus which detects Cryptor but not remove it.
Then, I followed the tips of post #31, , and with some additional complications, I got rid of the virus (I hope so…).
The story:
1) Any attempt to install SuperAntiSpyware and Malwarebytes in the affected computer (even changing the name of the files) didn’t work.
2) Then, I tried the procedure suggest by Boris (post #73, thanks Boris!). Sophos anti-rootkit not only was installed correctly but allowed a first cleaning of some infected files.
3) After the step 2, I could install both SuperAntispyware and Malwarebytes’, download the last definitions of both, and start the cleaning.
4) It seems that Cryptor was removed from the system…
4) At the time, I am running Kaspersky online scan to detect any traces.
Thanks again to the forum for the precious infos.
Sophos anti-rootkit works magic. all other anti-spyware softwares couldn’t solve the problem.
Ok, so we did everything that was listed and after running all the spyware/virus detection programs we have not found ANY virus on the computer however, it will still not let us access the internet using an ethernet cord. Anyone else have this issue? Were you able to resolve it?
I got peggle nights and i put it on my flash drive and when i tried running it it said it had this virus and i was like wtf -.-. now i cant play peggle nights :(
Boris or xXtra or anyone else:
Got cryptor months ago, it fried Malabytes, fried sbybot, fried my restore points, AVG picked it up but wouldn’t remove it, and the last few weeks AVG won’t even run a scan.
Have downloaded Sophos and run a scan. It has picked up 250 entries, mostly .tmp files starting with UAC (example: C:\WINDOWS\Temp\UAC68d.tmp), but also about two dozen random letter files like hjgruimxbfhqpx.dll. Sophos doesn’t recommend cleaning up any of them.
Do I delete everything, all 250? Do just start with the “hjgru” files?
Any advice would be appreciated. I’ve lived with this virus for months, and my system is getting so threadbare that I have a hard time getting the computer to boot at all.
AVG works
My AVG picked it up but won’t let me get rid of it, I tried to install Anti Malware Bytes but I can’t rename it before it d/ls and when I go into the folder to rename I can’t find any .exe files. I’m thinking I might have to do a full system restore around 5 months back which would really suck.
AVG picked it up but won’t let me remove the virus, and my Trend Micro Anti-Virus won’t pick it up at all and the virus won’t let it update.
I tired to download Anti-Malware Bytes but I can’t rename the file before downloading and afterwards when I try to rename it I can’t find any of the .exe files and so it won’t open.
I’m thinking maybe a System Restore would help but I would have to go back about 6 months which would really suck
I followed the steps in #31 and the initial post by webmaster and it appears Cryptor is gone.
Prior to this AVG had found and quarantined win32/Cryptor in an “\temp\Installer.exe”. But when I would sign onto the one account that seems infected pop-ups would occur again and re-infection would occur. This happens shortly after login without any program being manually started. Only the one account seems infected, not others, the one being a non-administrative account. However, I was not able to write to a DVD.
During this AVG found nothing more, MBam found four executables in “\temp” and removed them, and SuperAntiSpyware reported nothing more than tracking files (e.g. cookies).
I have a remaining concern that I don’t see what actually removed the cause of re-infection. There was no report of removing a rootkit or anything else except the four executables in “\temp” and the various tracking files.
What actually removed the re-infection source?
Follow-up to #91
A little later it was obvious the infection was still there. It seemed clean for a little while but then pop-ups again even without using any software manually invoked.
Malwarebytes found more and removed. But this did not permanently remove the problem.
Installed PREVX 3.0 which found three more and with the paid version removed them. There is a coupon available for a 10% discount.
I am not convinced all is gone. I’ve had two weird occurrences still: 1) signed on and no sign of PREVX running (but should) and also no sign within IE 7 of it running, so I logged off. Then, 2) my passwords to accounts did not work.
So I rebooted my PC and then my passwords worked and PREVX is there on logging in and in IE 7.
I guess this is a chapter book.
The issue for me is finally resolved!
After following all that was written here AVG kept popping up with virus alerts even though the scans came up clean.
I could not do a system restore since the virus infected to restore files.
Windows update was also not working.
This is what I did:
1. Download the latest Windows Malicious Software Removal Tool at hxxp://www.microsoft.com/downloads/en/default.aspx
run the tool. restart computer.
2. Since windows update wasn’t working I opened up a support ticket at hxxp://support.microsoft.com/ph/6527/en-us/#tab0
click contact a support professional by email. They helped me through the process until I was able to download all the critical security updates I missed.
3. Run a full free PC scan at hxxp://onecare.live.com/site/en-us/default.htm
follow instuctions after scan.
4. Download Microsoft Security Essentials from same website.
5. Disable all anti-virus/spyware programs and run Microsoft Security Essentials complete scan.
6. Repeat steps 3 and 5 until all infections are removed.
I had this little blighter today – tried to virsu scan AVG9, got part way but was taking ages, cpu 100%, each object was taking several seconds to scan, so after about 8hours of scanning I aborted and rolled back with system restore – updated AVG, scanned clean, CPU back to normal.
System Restore is such a useful tool – I’d recommend setting it up on every new computer before connecting it to a router and setting it up to automatically set restore points – it’s got me out of a load of holes over the years – do it now!!
Leave your response!
Subcategory
Recent Comments
Recent Posts
Most Commented
About precisesecurity
A trusted computer security web site that provides efficient and free solution to remove Trojans, viruses, rogue programs and other similar malicious activities.
Copyright © 2006-2012 | Tech Blogs - precisesecurity.com | Privacy Policy