Win32/Cryptor is a trojan that can further harm a computer by downloading and installing another malware on to the compromised computer. Computers can obtain Win32/Cryptor without a knowledge by visiting malicious websites or downloading and installing software from third party websites with embedded Trojan. This virus has rootkit functionalities that can hide itself from system and antivirus programs.
Computers who got infected with Win32/Cryptor will have difficulty accessing the Internet. Win32/Cryptor can also prevent the computer from executing security programs and various installed applications.
Aliases:
-
Risk Level: High
File Size: Varies
Affected System: Windows
100 Responses for "Win32/Cryptor"
1. Download Malwarebytes’ Anti-Malware (mbam-setup.exe) and save it on your Desktop.
2. After downloading, double-click on mbam-setup.exe to install the application.
3. Follow the prompts and install as “default” only
4. Before the installation completes, check on the following prompts:
- Update Malwarebytes’ Anti-Malware
- Launch Malwarebytes’ Anti-Malware
5. Click “Finish.” Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
6. Scan your computer thoroughly.
7. When scanning is finished click on the “Show Results”
8. Make sure that all detected threats are marked, click on Remove Selected.
9. Restart your computer.
Note: Win32/Cryptor may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
Malwarebytes Anti-Malware did not detect it, even though my AVG did…
I had the same issue as Rachel. All i did was reboot into safe mode and run avg and it got rid of it that way. Trying to remove it any other way gives you a file locked error
I have the same issue and my AVG proffesional has detect it and give me a warning, So I think that you use the proff version and than you can put the virus in quaratine.
Good luck.
AVG free will detect it and quarantine it in the virus vault..It spawned 8 trojans (generic.8.hfh) on my machine AND had a few randomly renaming reg keys. win32/cryptor snuck past AVG which had updated and run scans on both the OS and storage drives (C2D-6800 4GB,2TB, FireLG v7300, XP Pro SP3). Ran AVG Again, installed and ran malware bytes and finally spybot got rid of the annoying reg value. I’m going to be more aware of this virus and hope I don’t see a nastier ‘antibiotic resistant’ strain on this machine! scares me that it got past active and up to date spybot, AVG and hardware measures in place. Had to reboot 2X, once for AVG to run clean and once after running Malwarebytes. Gone now…Keep your AV UPDATED!!! Literally within an hour of my update I got it. I run Firefox for a browser and I am thinking that the Adobe Updater opened the big security trap door in windows that is Internet Explorer. This is the prime target for hackers and they figured out another way to burrow into your data and cause havok. You want cheap insurance, back up your personal files on remote storage (CD, DVD, External drive, Network storage…etc.). Go spend 10 bucks and get a 4 or 8gb flash drive, it will save you a headache later…
AVG detected it but had to use SuperAntiSpyware Professional to remove, the antispyware program has save me more the once, its an awesome program, i recommend it highly…..by the way i use the free version of SuperAntiSpyware Professional…….Good Luck Everyone….Happy Computing
Tried everything above, was pulling my hair out, nothing worked.
Then…….brainwave, the old system restore. Restored to the day before and bingo!! No infection.
Good Luck.
Hello,
I have this virus on my computer. I ran the AVG free virus scan on my computer and it did not detect this virus, I also have Malwarebytes, and I scanned and it found nothing. Yet, whenever I open my internet explorer, this little message pops up from AVG. It reads-THREAT DETECTED. And i try to Heal it, or move it to the vault, and nothing happens. My computer is running fine at the moment. I called a company, and they said they could help me for 129 dollars :( and i cant do that. So, If you could post a comment with suggestions, please help.
Ty-D
Have you guys updated malwarebytes before doing the scan? Other recommended tools I can see is Smitfraud and DrWeb Cureit.
http://www.precisesecurity.com/tools-resources/adware-tools/smitfraudfix/
I’m in a pretty similar position to Deanna, AVG finds it but can’t fully remove it. Sadly the virus got the best of my main hard drive too. I bought a new 1TB HDD, slapped on xp and tried to recover any data I could, but they’d all been reduced to ‘file types’, my HDD read with a capacity of 10mb with 3 gig free. So i’ve lost it all and i’m getting nervous that my 2 data drives are in similar shape.
If the virus affects your computer such that you can’t access the HDDs from My Computer unless you type in the drive letter into the directory, then don’t assume that repairing a boot sector will help. I naively thought this was the case, repaired and then lost my NTLDR, which is virtually irreplaceable unless you want to do some ghosting.
Gonna try to rescue what I can to my new HDD now and format to start fresh with what data I have. Fingers crossed there’s no infected files.
ive had this thing for 2 months and couldnt get it off. i couldnt updat anything on AVG 8.0 because of it. but what webmaster said to do worked for me.
i downloaded malwarebytes and it wont start on my computer, i can not get it to open.
i tried to download the programme the webmaster recommends to no avail the virus seems to redirect me when i click the download link
AVG detects it, malwarebytes does not… but the funny thing is, when i ran malwarebytes, it detected 11 other virus’s that AVG never told me about. So i removed them all and restarted, but those two were still there.
Now it’s playing with my DHCP client and every now and then screwing up my internet all together. Also, i tried the safe mode thing, AVG doesnt run in safe mode…
This is really getting to me, as this is a practically new computer, somebode please suggest something to those that aren’t getting results from the rest of these suggestions. Thanks in advance
taylor, same happened to me.
reinstall modem software.
It’s just really annoying that i’ve done the same exact things that have worked for other people, but the virus’s are still there, and they seem to effect my computer more and more everytime i try to get rid of them. Now my comp is blue screening, and when i start it up, its hit or miss whether or not i can even get it to do what i want it to do. I’m really frustrated and i don’t have the money to pay some random guy to do something i’m pretty sure with the right program, i could do myself. =(
by the way, chaz, right click malwarebytes, open file location, and on every file that’s an application (.exe) right click it, go to the “compatibility” tab, and check the first box which should say “run this program in compatibility mode for…”
and you have to do that for every application
but malwarebytes won’t detect this virus
wooowww…
i did what helms said and i have to say, i don’t know why i didn’t try it before
the virus is completely gone, my DHCP client works as it should, AVG can update once again, and my computer is running like it used to
everybody should do system restore to the day before the virus was detected, this is literally the only thing that worked
thanks helms!!
good luck everyone
I have all the same problems as Taylor. Of course, this nasty little thing has removed all my restore points. Also, when I do try to restore back two days ago “DATA CORRUPTED” AVG doesn’t help, or Malware. DHCP fails after 10-15 of internet connection.
Just got infected yesterday and could tell that my browser searches were being hijacked.
From windows, I tried the latest versions of Malware Bytes, AVG Free, SpyBot S&D, Avast, TrendMicro Internet Security, RUBotted & House Call. All gave me a completely clean bill of health, nothing more than a couple tracking cookies.
Rebooted into Safe Mode, and ran AVG Free 8.5, which identified and moved several files to the virus vault, but Windows wouldn’t boot afterwards. Manually restored affected Windows OS files (which had been moved to AVG virus vault), and I’m back to normal.
Note that, at least in my case, the following Windows OS files were all infected: winlogon.exe, services.exe, lsass.exe, svchost.exe, explorer.exe, and taskmgr.exe. Also infected were AVG files AVGui.exe, AVGscanx.exe, and AVGsrvx.exe as well as an Intel file IgfxSrvc.exe, and one other file which I didn’t find on Google called UACmntteaiy.dll, and if it were a Vista machine, I might guess that UAC stood for User Account Control, except this was an XP machine, so I don’t know.
i just did a scan and this was detected on avg free, i reckon if you make sure your virus definitions are up to date avg should find it and zap it.
I noticed the same thing as Larry. I am curious what these files are since I’m running XP on this machine, and UAC is not included in XP.
” the following Windows OS files were all infected: winlogon.exe, services.exe, lsass.exe, svchost.exe, explorer.exe, and taskmgr.exe. Also infected were AVG files AVGui.exe, AVGscanx.exe, and AVGsrvx.exe as well as an Intel file IgfxSrvc.exe, and one other file which I didn’t find on Google called UACmntteaiy.dll, and if it were a Vista machine, I might guess that UAC stood for User Account Control, except this was an XP machine, so I don’t know.”
Also before I make my machine un-bootable, will it clean these files, or just delete all infected files? Because I doubt my OS will boot without winlogon.exe, services.exe, lsass.exe, svchost.exe, explorer.exe, or taskmgr.exe Take your pick, I don’t think it will boot with ANY of the above files deleted.
I read Larry’s post this morning and considered that better make a couple of CD’s before proceeding. 1. Ultimate Boot CD for Windows and 2. the files needing to be replaced. This seems a bit off given the fact that my wifes computer is the only window system we have and I am concerned that the system I am pulling binaries from might not sync up …
I would also like to add to Larry’s post the fact that
1. I was unable to install and run any A/V packages from standard or safe modes. They all were running in taskmgr and doing nothing. I don’t remember how I managed to get AVG free to install on the system.
2. The machine would randomly lock up within at least 5 minutes.
3. AVG Free reported that the system passed and Panda Online saw the issue with UACmntteaiy.dll that did not seem to exist.
4. The trick for me was to use safe mode without networking and logged in as Administrator. It was then that AVG started finding and quarantining the file list Larry described.
We’ll see how the rest of this painful procedure goes …
1) AVG, Superantispyware or Malware bytes were unable to clean the virus off my disk (with WinXP pro).
2) They however find the responsible virus files: agvykep.dll, agvykep.dll.bak and ggfthrb.dll (in Windows/System32/) – they had all the same size of 103 kB, on your system they can have different names, but should have the same size. Writedown the names of the virus files reported by your antispyware software.
Sort files by size in Windows/System32 folder and check that even after antispyware report that it cleaned the infection after reboot these files are still undeleted = virus keeps on surviving the cleaning.
3) These files are unable to be deleted in any way, nor by Unlocker, nor in Safe mode.
4) The only way that worked for me was as follows:
a) Boot system from the original Windows CD.
b) Choose R for Recovery Console
c) Use Command Line to go to the folder Windows/System32/ (CD.. to get to the required folder), where the files are and use DEL yourfilename.dll (2 files) + DEL yourfilename.dll.bak (1 file) to delete them manually. (It works because the virus files are not loaded and locked and you can delete files with no problem.)
d) Remove CD from drive and then reboot into Safe mode – use antispyware software to get rid of the resting 4 virus keys in the registry. Reboot
Now it should be clean. Because this virus deletes all restore points, but the one from the day when it was caught, you can also turn the resore point function OFF (to delete the ones with the virus) and then ON in order to have only clean restore point from the date of the virus removal.
Thanks RR! I have exactly the same problem, none of the antivirus software mentioned above worked, can’t restore the system back to the clean state (click the next, computer does nothing). I’m going to try what you suggested here. But I don’t understand your last paragraph. Could you elaborate it further? Thanks!
Also, I think my infected files are Windows system files. If I delete them, what if Windows can’t start any more?
The Cryptor virus has quickly morphed into a nasty little problem. The genius mind that is being wasted creating this crud is using a classic roadblock technique, similar to the Smitfraud-type “XP Antivirus 2009″ of last fall. Each avenue found to be successful in overcoming the infection is disabled or interfered with in some way, so as to make removal of the “improved” version progressively more and more difficult.
I successfully removed Cryptor from a client’s laptop yesterday and I see lots of others are stuck, so here goes . . .
Platform was XP Home SP3. The client had McAfee and Malwarebytes, and both seemed to be properly installed, updated and functional prior to infection. Windows patches were also up to date. I set up this machine myself, about 6 months ago.
Upon infection, Malwarebytes was instantly disabled. Very cleverly done – double click on it, an hourglass appears briefly, then disappears . . . . and then absolutely nothing happens. A brand-new executable of the program was downloaded, and found to be similarly useless – it gave an error relating to a violation of administrator policy . . hehe . . . I was logged in as administrator. I explored the policy editor snap-in via command console, and found nothing awry.
I tried to install SuperAntispyware, which is great against Cryptor’s rootkit-type mechanism, but the bug blocked the installation with a bogus Windows error message.
Windows installer was still fully functional for installation of other programs, but the installation of Malwarebytes and SuperAntispyware were both completely disabled.
All boot modes were accessible, but installation of the two programs it “knew” could get it was impossible in any of them. Very clever . . . and very frustrating.
System restore came up in all modes, including command line. It also showed all previous restore points as valid, but any attempt to restore the machine to any of them resulted in a similarly frustrating dead end. On execution of the restoration, the machine just sits there and does absolutely nothing.
I jumped online (with the infected machine) and purchased a one-year license for PreVX Edge 3.0 – it walked me thru installation, definition update, disabling network and antivirus during removal, and the the scan (which took less than seven minutes). It found the virus had multiplied code into hundreds of locations – the tips of the root system. Then it automatically rebooted the machine and completed the rip-up of the rootkit.
On reboot, Malwarebytes had been restored to complete functionality. I was able to immediately download it’s current definition file and run a complete scan, which quickly located and fried the central components (about 6 files located in the system32 folder). Functionality of SuperAntispyware was restored also. I installed, updated and scanned with it normally. I continued to run scans with PreVX, Malwarebytes and Superantispyware in succession until everything reported back as clean.
My own personal machines are running AVG Free 8.5 and PreVX Edge 3.0 simultaneously with no interference. SuperAntispyware is heavy on system resources, so I have it installed – but it only runs manually when I chose to, about once a week.
Anyone who has Cryptor or other entrenched rootkits on their machine will do well to pay 30 bucks for PreVX. It will removes infections quickly and easily, and provides excellent real-time protection against Cryptor and it’s ilk in the future. I’m sure there is some complicated technical solution here also, but this is what worked for me. Hope it helps others too. ~greg
I got infected too.. I only have installed AVG and Nod32 which didnt find anything and I cant install any other programs. Right now I dont have the Windows CD with me and AVG just detects the Cryptor virus but doesnt delete it, what else can I do? please help I have a lot of very important archives here and cant lose them.. btw my computer doesnt detect the usb drives
WEBMASTERS # 1 COMMENT worked perfect for me. I had this Win32/Cryptor running in about 6 different windows system processes and could not get rid of this nasty lil virus. I downloaded Malwarebytes’ Anti-Malware… followed webmaters directions to a “T” and it worked like a charm. I will be keeping this great program in my spyware / malware arsenal. This program picked up 14 more threats that S&D Spybot and Adaware didn’t pick up. My computers running great and as fast as ever… THANKS for the most helpful information!!
Thanks Greg, for detailed informercial :-)!
Actually I got the help from the great team in Geekpolice.net. They walked me through every step of the way to completely clean up my system. And it’s absolutely free! Just remember to publicize their service and make any donation if you feel like. For the quality service I received I will definitely do that. XXVII, go and check it out, and report it back here to help others.
Hey I finally got rid of that virus!! here are some tips:
* Run AVG to detect the Virus
* Rename the Malwarebyte´s setup name before you download it
* If Malwarebytes installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes’ AntiMalware
and rename all the .exe files in the MAlwarebytes’ Anti-Malware folder and try to run it again.
* Follow all the steps from the first post
* Then download SUPERAntiSpyware and run a full scan to kill all Cryptor´s family
* Run again AVG and do another scan and the virus should be gone!
After killing the virus I still had my USB problems so I uninstall my NOD32 antivirus that didnt help me this time and my USB ports came back to life! so I think I will just keep in my arsenal AVG and AntiMalware and maybe the SUPERAntiSpyware too just in case..
Thank you a lot for u help guys but I hope I dont have to see you again anymore.. haha see ya
What is the likelihood that a computer infected with the virus sent e-mails out with attachments would infect those computers that received the e-mail attachment?
I just followed XXXI’s instructions (about renaming the Malwarebyte .exe files) and I was actually able to use the program. I’m pretty certain the virus is gone from my computer.
I no longer get the random pop-ups, and when I search for win32 cryptor removal, the search engine actually works for me. Thanks so much!
How do you rename the file when downloading? for me it only lets me either save the file or nothing, and i tried just renaming it after i download it and it finaly lets me open the setup file but it wont complete the installation
I’ve a question similar to Nick G’s. When I do try to download malwarebytes it doesn’t seem to have any option to rename the setup file it comes packaged in. It’s just mbam-something. What’s that all about it? Once I download it I can rename it, but it won’t open at all. I click it, get the hourglass for a second or so, then nothing. Even if I change its name, which is something I can’t seem to do before it’s actually downloaded.
APLUSTECH #27 solution nailed the win32 cyptor just like he said. Everything is finally clean thanks to him and prevx edge 3.0. So far everything is finally gone, best $30 I spent. Thx Greg.
XXXI instructions work like a charm(Post #31). Thanks!!!
i found this bug on my neighbor’s computer today. he called me a couple of days ago saying something called “Spyware 2009″ was trying to install on his pc. it looked like scareware.
i ran avg free 8.5 while the pc was in safe mode and it quarantined the bug from registry and /globalroot. this was all i needed to return him to full functionality. i was surprised it was so easy to take care of since i was expecting to do more. this guy is on dial-up so i felt pretty lucky.
if it comes back it looks like XXXI has the best solution.
I spent hours trying to remove this virus when I came upon this site. What worked for me is downloading the Superantispyware. This allowed the Malwarebytes to work, and I then re-ran AVG, which had detected the virus, but couldn’t remove it.
Thank you all for saving my computer!
I have been battling this nasty cryptor…My son infected all of the family’s laptops using an infected flash drive. I have one laptop left to clean up. Superantispyware keeps crashing. Prevx 3.0 needed to be set from a deep scan to full scan. I also slwed the scan down. By doing those two things Prevx picked up a worm and two mal wares that didnt show up on the “deep” scan setting. I have just finished running malwarebytes and it came back clean. Im running Avg 8.5 now to see if cryptor is still in my computer…. When thats done then im going to retry superanti spyware which kept crashing when i tried to use it!
+1 to XIII’s Solution (#31). This worked a treat. Thanks a lot for posting! P.s my usb’s were also messed up however removing the virus cleared the problem up thank god!
In response to 31’s solution:
Even upon renaming the Malwarebyte’s .exe file names, the files won’t load. Any advice available?
Hi just to say thank you so very much. I stumbled upon this blog after aout 9 hours of battling with this trojan, and followed a combination of webmaster and Greg’s advice. Seems this has succeeded in removing the trojan, and as a 3rd yeat uni student I am extremely grateful not to have lost my work or hopefully any finance info.
Thanks again, guys :D
I have the same trojan although I cannot get on the internet on the infected computer (broadband Tiscali) any ideas??
Thanks
DAve
Hi, can anyone please help me? I’m pretty clueless. I read all of the comments but my issue seems slightly different.
I have AVG and every time I open internet explorer or the my documents folder, it opens up with a threat– the cryptor virus. They all seem to mention this one system 32 file which I am afraid to delete because of what it might do to my computer. Other files mentioned are winlogin and svchost.
The thing is… I already have Malwarebytes on my laptop; I had no problem downloading or running that or SuperAntiSpyware. They both run and find a few tracking cookies and earlier a few spyware things but otherwise nothing. And AVG keeps popping up with cryptor.
My computer otherwise is acting completely normally– not slow, internet works, thankfully.
What should I do? I even had someone help me run AVG in command line (not sure what that means) in safe mode, it seemed to get rid of everything, but when I rebooted, it came back.
Hi can anyone help, I have a virus on my computer which wont let me go online to download the lates virus software but my friends is letting me us there computer has anyone got any idea??
Thanks
FYI – Follow the instructions in post 31. That seems to be doing the job.
For those w/ additional questions about post 31:
Download Malwarebyte’s application to your computer. Then, locate the downloaded file and rename the downloaded file to something else like MAL.EXE. (The Cryptor virus prevents it from running w/ the original filename) Next, install malwarebyte using the renamed file.
After you’ve installed the Malwarebyte follow the instructions from Post 31 listed below if Malwarebyte will not run after installation
Also: You can run Spybot and other antispyware applications by renaming those downloaded files too. (cryptor is preventing those apps from running based on their file names)
Also: IMPORTANT: You’ll have to download updated definition files for all these antivirus and antispyware applications; otherwise, they will not detect the latest version of Cryptor. Since Cryptor is likely blocking your Internet connection, you’ll need to manually download the definition files from another computer, save them to a USB drive and then copy the definition files from the USB drive to your infected computer. You’ll then need to update your antivirus/antispyware programs with these definitions. Check the help sections of the various applications to determine how to update definitions manually.
Good luck:
From post 31
* If Malwarebytes installed but will not run navigate to this folder:
C:\Programs Files\Malwarebytes’ AntiMalware
and rename all the .exe files in the MAlwarebytes’ Anti-Malware folder and try to run it again.
* Follow all the steps from the first post
* Then download SUPERAntiSpyware and run a full scan to kill all Cryptor´s family
* Run again AVG and do another scan and the virus should be gone!
After killing the virus I still had my USB problems so I uninstall my NOD32 antivirus that didnt help me this time and my USB ports came back to life! so I think I will just keep in my arsenal AVG and AntiMalware and maybe the SUPERAntiSpyware too just in case..
Thank you a lot for u help guys but I hope I dont have to see you again anymore.. haha see ya
I can’t execute the program. ANY of them. I have AVG working and scanning and I removed the virus in SAFE MODE but it didn’t actually remove it. I downloaded The SPYWARE One, but I can’t get anything to install any more… Got an issue… NE Help?
All of this DLed from Download.com
1. AGV Free 8.5
run quick scan to verify you have the visus
2. Glary Registry Repair (DL it)
run that. Fix it all, but please do look at the + boxes.
3. shut down comp. wait 10 secs. reboot.
4. run AGV again
5. do glary again
6. shut down
7. Download ad-Aware (free) Anniversary Ed
install it
8 shut down
9. do glary
10. run ad-aware, and fix probs fix probs
11. shut down
12. at this point DL Avast (free ver)
13. gonna say run boot scan, say YES, it’s gonna look wierd, don’t worry about it. just keep hitting 1
reboot
run AVG again to see if you got it
after you have done that a few times, the post above. try and DL malwarebytes from the same website download.com
if you can do it, and install it, and run it ; i think you are good to go.
larry
While the Cryptor is a complete pain in the butt and is very ‘tricksy”, download your anti-virus software to your desktop and then rename it to something like “test”. Then try to install the antivirus software under its new “name”. Cryptor does not detect the name as an antivirus software and lets it install. You can also try this in safe mode if you cant run it in normal mode. Cryptor…now who is “tricksy”!!!
*My main suggestion, if all else fails, is at the very bottom.*
I had tried many of these ways, but couldn’t get free versions of anything to fully download. I finally emailed Microsoft and AVG (I have the paid version) and they both were working on my problems, when one day I had big updates on my computer and when I turned it back on it took 30 minutes to boot up as it was doing some scan. Some of the Win32 family was found and removed, but not Cryptor.
I then followed XXXI’s suggestion as I was now able to run free versions of anti-spyware and ran Mal, then Super, then a full AVG scan, then ran AVG the next day, then the next. My computer still has minor issues and it’s 3 years old, but it has killed the Win32 family and no anti-spyware program detects anything anymore!
My suggestion is to email your virus provider and have them do an analysis of your computer. AVG did that for me. Also, have patience as killing these things isn’t instant.
Cryptor has completely disabled my computer. I had AVG 8.5 installed to begin with and it found it but couldn’t do anything about it. Tried the scan in safe mode to no avail. Now I can’t get on the internet bc it wont let me open a browser so I downloaded the Malwarebytes onto a flash drive. I can open the flash drive, but it will not let me transfer the file onto the hard drive. It doesn’t matter what it’s named, it won’t allow any downloads of any files. System restore is disabled. I tried manually deleting the affected files and it won’t allow any deletions. I’m considering hurling the thing out the window, but I don’t want to harm an innocent bystander:(
i had this virus and none of the above suggestions would work for me, so if you are in that situation too i suggest you use pc tools spyware doctor. i paid for it but i think there is a way to get it free from gmail, you can download a ‘pack’ or something. i couldn’t figure out how to do it so i’m sorry i can’t give instructions but if i do figure it out i will come back on here and say. but yeah, that’s your program, cleared everything up fine for me!!
yeah just go to pack.google.com and there is a list of software you can download, spyware doctor is one of them and its free :)
One note to XXXI’s post.
If renaming the .exe files still doesn’t allow you to launch the executible try checking the properties of the mbam.exe (now renamed) and use the compatability tab. I set it to be compatable for Windows 98/ME and retried the .exe. Worked like a charm.
Can plugging my MP3 player into the usb to charge the battery infect the player? I’ve been trying to get rid of the virus for a day now but haven’t been successful yet. I plugged in my Mp3 player to charge it without really thinking that it could harm it, but now when I use it the sound is sorta messed up.
To Lyn:
Yes. If your mp3 player is the type that acts the same as a Flashdrive (AKA thumbstick, thumbdrive, USB stick, etc) then YES it can get infected!
hey i have read about every comment so check it:
this virus acts close to the Sircam virus
step one (if you can): run avg 8
if you cant get avg to open go to run:
cmd
C:\windows\system or C:\winnt\system32
type ATTRIB -S -H -R Scam32.exe
(even if you don’t have the sircam virus)
this pulls the virus to the surface of your comp and shows the virus tendances, dont freak out, now you should be able to run avg
reboot
run malware
reboot
run spybot s&d
reboot
you should be clean
XIII’s Solution worked great but needed to run superantispyware a number of times to cure the computer.
The best thing is the fix is free
I have been studying and following all of the courses of action that everyone here has been talking about. I have Vista. I had to have someone send me AVG zipped through email. I had to rename Malwarebytes over and over, changing paths and ran them repeatedly in safe mode, to no avail. When it finally ran clean, the virus was still there. SuperAnti-Spyware picked up a lot of things that Ad-aware did not. Malwarebytes picked up things that AVG did not. Glary Registry Repair is useless compared to CCleaner. Trend Micro’s “House Call” was useless.. passing by my Windows system 32 folder with no objects found. I finally found prevX, it highlighted 3 problems, AVG was only finding 2. It prompted me to pay for a year at the rate of $24.95/month for which I angrily slapped down my Visa card number. But it’s gone – all scans are coming back clean, my firewall remains on after booting up, and no warnings opening firefox.
Like RR said in post dated March 30, 2009 at 2:48 pm, worked for me too. First my AVG was popping up every minute cause it find cryptor in windowst/system 32 and it was same file every time. The easiest way to remove is to restart the computer, choose recovery console and then go to directory windows/system 32 and delete the file and its .bak copy. That’s easiest way if spywares don’t detect virus. AVG detects it but can’t remove it.
I got it a couple of days ago and I am new to Vista so I wanted to repartition the drive to back up my 45gigs of music and 12gigs of pics and other assorted crap. Went to walmart and picked up a 250gb external drive for $70, backed everything up and ran the system recovery… only after Malwarebytes Anti-Malware, AVG, IoBit Advanced System Care, Regedit FAILED!.
First F-ING virus in 10 years…if someone knows who created this crap let me know…I wanna beat them senseless. I have had to reformat due to my own mistakes in the past but not cause of anyone else.
I am back up and running now and still not happy the amount of work I had to do to get here.
Cryptor has more or less fried my computer. I took it to a specialist who removed most of the virus, but was unable to get rid of that pesky system32/svchost.exe file. My plan is to transfer some key files via USB to another computer and then wipe the hard drive.
Here’s my question: If I move over pictures and movies from the infected system, scan the flash drive with AVG, Super Anti Spyware, Ad Aware, and Malawarebytes before moving the files over, is there still a chance of the virus moving to the second computer?
Guys, just wanted to thank you for the infor in removing this nasty. Got it removed by RR – March 30 procedure.
pain in the ass virus but i think i got it licked
AVG detected the threat and allowed me to heal the
infection but secs later it popped up again.
hmmm
laptop is infected and I had deleted temporary internet files etc and also run window washer ( I believe that the virus was attached to a game my 7year old son Jack was playing on “game garage”) and that the cookie was drawing the virus back in each time.
I couldnt understand why it was re-appearing after getting ride of the cookies etc – then i suddenly realised that my son had been playing on his own profile and that the cookies was still stored
Deleted all cookies on all user accounts and am now scanning with AVG and it appears to be gone
This might help – feedback please
avg cant heal this or delete it. ive deleted my system restore points. ive run malwarebytes and followed its instructions. malwarebytes says it removes it but when i rescan it is still there….same with re running avg….im trying superantispyware now…ill report back….
This virus is also installed with many of those fake antivirus programs that pop up, tell you that you’re infected, then instruct you to pay them in order to remove the virus. AVG 8.5 will detect it, and attempt to remove it, but to be safe you should likely wipe your PC completely. Even attempting to remove this virus infects removable drives as well so you’ll end up getting it back if you aren’t careful.
My suggestion: start from scratch to be safe, NEVER pay any company with your credit card (if you did, you had better report your card compromised) after getting this virus. Get out your restore CD’s, wipe the HD and re-install. If you must back up your files, treat them as infected until you can scan them later.
I just got zapped by this virus. Running AVG free I get a long list of detections similar to this exerpt:
“\\?\globalroot\systemroot\system32\geyekreiqwroem.dll”;”Virus identified Win32/Cryptor”
“C:\PROGRA~1\POPFile\popfileib.exe (3080)”;”Virus identified Win32/Cryptor”
“\\?\globalroot\systemroot\system32\geyekreiqwroem.dll”;”Virus identified Win32/Cryptor”
“C:\WINXP\system32\rundll32.exe (4072)”;”Virus identified Win32/Cryptor”
“\\?\globalroot\systemroot\system32\geyekreiqwroem.dll”;”Virus identified Win32/Cryptor”
“C:\Program Files\Mozilla Firefox\firefox.exe (3516)”;”Virus identified Win32/Cryptor”
“\\?\globalroot\systemroot\system32\geyekreiqwroem.dll”;”Virus identified Win32/Cryptor”
“C:\Program Files\AVG\AVG8\avgui.exe (588)”;”Virus identified Win32/Cryptor”
“\\?\globalroot\systemroot\system32\geyekreiqwroem.dll”;”Virus identified Win32/Cryptor”
“C:\Program Files\AVG\AVG8\avgscanx.exe (3872)”;”Virus identified Win32/Cryptor”
“\\?\globalroot\systemroot\system32\geyekreiqwroem.dll”;”Virus identified Win32/Cryptor”
“C:\Program Files\AVG\AVG8\avgcsrvx.exe (2420)”;”Virus identified Win32/Cryptor”
However, I am unable to find the file geyekreigwroem.dll
Am I missing something?
Thanks
mob love to all of you, i had the same problem followed all what you recomended an my comp iz back to life, thanx loads, you just saved my comp
thanx, woohooo! THANXXX!!!
I have the same prob – AVG can’t get rid of it and system restore won’t let me go back far enough.
How do I wipe my computer if Acer didn’t give me a back-up cd? it’s a netbook with no DVD drive. Thanks.
I’ve bought AVG and when I came across Cryptor on my machine I tried many of the above approaches – all to no avail.
It then crossed my mind to e-mail AVG and from then on everything was handled perfectly.
Fast, polite responses, easy to follow instructions, and finally AVG signed onto my PC remotely and performed their magic in front of my eyes.
Thanks Stefan. I can’t recommend the service enough.
I had the same problem.I tried AVG,Anti-Malware,Norton,everything… can’t get rid of it and system restore won’t let me go back. Even recovery-CD doesnt work. THEN I SCAN WITH SOPHOS ANTI-ROOTKIT AND THAT WORKS ! IT FOUND HIDDEN ROOTKIT FILES AND LET ME DELETE THEM. IT ALSO FOUND THE ORIGINAL VIRUSFILE, WHICH WAS .MP3 FILE.
I have the same virus. It sneaked past my Avira turned off the guard and seems to find my hard drive very cosy. Malware Bytes doesn’t install, not even after renaming it. It hangs when the installation is completing. So far the most recommended sollution here, I’ll have to find some other way. My AVG is detecting it, but can’t delete it fully as stated many times over here.
Is there another way to kill it for free?
I have to say a great “thank you” to this forum.
My notebook has been infected by Cryptor, and it didn’t run correctly for a couple of days: re-start computer without any advise, PC blocked, no safe boot, etc. I have AVG antivirus which detects Cryptor but not remove it.
Then, I followed the tips of post #31, , and with some additional complications, I got rid of the virus (I hope so…).
The story:
1) Any attempt to install SuperAntiSpyware and Malwarebytes in the affected computer (even changing the name of the files) didn’t work.
2) Then, I tried the procedure suggest by Boris (post #73, thanks Boris!). Sophos anti-rootkit not only was installed correctly but allowed a first cleaning of some infected files.
3) After the step 2, I could install both SuperAntispyware and Malwarebytes’, download the last definitions of both, and start the cleaning.
4) It seems that Cryptor was removed from the system…
4) At the time, I am running Kaspersky online scan to detect any traces.
Thanks again to the forum for the precious infos.
Response 31 worked for me too!
Well, battled this virus for about 3 hours to no avail. Decided to do a little research and found myself here after looking at forums and trying a few ideas.
Post #73 did the trick. downloaded ANTI-ROOTKIT and ran. I just googled the files and seen which ones i needed to delete. After the system restart, i downloaded Malwarebytes. Installed flawlessly. Ran as specified in the very first post.
I downloaded sophos anti-rootkit. Scanned my computer and it found all the original virus file. askhdkasjdklja.dll, asiohdoasjdoij.tmp, asihdoashdol.exe. Something Like those files with weird random letters in them. And i deleted them all. Then i scanned with Malwarebytes and Superantispyware. Cleared everything up!. no more random google search ads when i click on search results.
Steps:
1. Download Sophos Anti-Rootkit
2. Scan w/ Sophos Anti0Rootkit
3. Restart
4. Scan w/ Malwarebytes
5. Restart
6. Scan w/ Superantispyware
7. Restart
8. CLEANED! =)
This is what i did…i dont know if it’ll work for everyone.
response 31 worked for me and i did not even have to go in safe mode( my safe mode wont work lol i get blue screen of death…..but thats a whole nother problem) i also unplugged my internet and the adds stopped coming while i was fixing the problem( I alrdy had malewarebytes and avg downloaded)
Hi all. I’ve had this bug for about a week now, and nothing seems to work. I have AVG and Malwarebytes installed, but neither will scan or run. I downloaded Sophos minutes ago, but it won’t install. I’m so out of ideas… any help is appreciated. And thanks to everyone sharing their knowledge.
Im glad that someone have found quicker help with my recommendation (#73), cause the fighf with virus took me over 90 hours before i found the Sophos Anti-rootkit.
Response 78 saved my computer.
Thanks to precisesecurity.com, Sophos Anti-Rootkit, Malwarebytes, and Superantispyware.
Thanks to everyone.
Sophos anti-rootkit works magic. all other anti-spyware softwares couldn’t solve the problem.
Ok, so we did everything that was listed and after running all the spyware/virus detection programs we have not found ANY virus on the computer however, it will still not let us access the internet using an ethernet cord. Anyone else have this issue? Were you able to resolve it?
I got peggle nights and i put it on my flash drive and when i tried running it it said it had this virus and i was like wtf -.-. now i cant play peggle nights :(
Boris or xXtra or anyone else:
Got cryptor months ago, it fried Malabytes, fried sbybot, fried my restore points, AVG picked it up but wouldn’t remove it, and the last few weeks AVG won’t even run a scan.
Have downloaded Sophos and run a scan. It has picked up 250 entries, mostly .tmp files starting with UAC (example: C:\WINDOWS\Temp\UAC68d.tmp), but also about two dozen random letter files like hjgruimxbfhqpx.dll. Sophos doesn’t recommend cleaning up any of them.
Do I delete everything, all 250? Do just start with the “hjgru” files?
Any advice would be appreciated. I’ve lived with this virus for months, and my system is getting so threadbare that I have a hard time getting the computer to boot at all.
AVG works
My AVG picked it up but won’t let me get rid of it, I tried to install Anti Malware Bytes but I can’t rename it before it d/ls and when I go into the folder to rename I can’t find any .exe files. I’m thinking I might have to do a full system restore around 5 months back which would really suck.
AVG picked it up but won’t let me remove the virus, and my Trend Micro Anti-Virus won’t pick it up at all and the virus won’t let it update.
I tired to download Anti-Malware Bytes but I can’t rename the file before downloading and afterwards when I try to rename it I can’t find any of the .exe files and so it won’t open.
I’m thinking maybe a System Restore would help but I would have to go back about 6 months which would really suck
When you get the choice to save or run the download, click save. You will then get the ’save as’ prompt. It’s at this point that you can change the name.
System restore won’t delete any of your saved files.
I followed the steps in #31 and the initial post by webmaster and it appears Cryptor is gone.
Prior to this AVG had found and quarantined win32/Cryptor in an “\temp\Installer.exe”. But when I would sign onto the one account that seems infected pop-ups would occur again and re-infection would occur. This happens shortly after login without any program being manually started. Only the one account seems infected, not others, the one being a non-administrative account. However, I was not able to write to a DVD.
During this AVG found nothing more, MBam found four executables in “\temp” and removed them, and SuperAntiSpyware reported nothing more than tracking files (e.g. cookies).
I have a remaining concern that I don’t see what actually removed the cause of re-infection. There was no report of removing a rootkit or anything else except the four executables in “\temp” and the various tracking files.
What actually removed the re-infection source?
Follow-up to #91
A little later it was obvious the infection was still there. It seemed clean for a little while but then pop-ups again even without using any software manually invoked.
Malwarebytes found more and removed. But this did not permanently remove the problem.
Installed PREVX 3.0 which found three more and with the paid version removed them. There is a coupon available for a 10% discount.
I am not convinced all is gone. I’ve had two weird occurrences still: 1) signed on and no sign of PREVX running (but should) and also no sign within IE 7 of it running, so I logged off. Then, 2) my passwords to accounts did not work.
So I rebooted my PC and then my passwords worked and PREVX is there on logging in and in IE 7.
I guess this is a chapter book.
I have the win32/cryptor virus!! my computer runs fine, it just has avg telling me every 10 – 15 mins that it is blocking the virus!! I have tried everything to get rid of it! AVG can block it, but doesnt find it during scans. malwarebytes doesnt find it. tried running in safe mode, but virus seems to be making it unable to do so, safe mode will not work! tried restoring to a former day, but my computer says that i havent got any of that information saved to do so. its really frustrating me, im not sure what else to try. i dont want to have to re install windows.
This thing is bad. I was running NOD32 with all monitors enabled. Cryptor got past is. I noticed all sorts of programs and processes coming and going in Task Manager. I tried to to a deep scan with NOD32. I got a message saying “NOD32 is not a valid Win32 application.” So I tried to reintall NOD32. Forget that. It also wiped out .MSI.
I just finished reinstalling Windows and SP2. I also installed AVG. I am scanning all of the documents I backed up on a USB hard drive. Cryptor populated itself into .zip and .rar files I have had for years.
Whatever you have to do, do it right away.
The issue for me is finally resolved!
After following all that was written here AVG kept popping up with virus alerts even though the scans came up clean.
I could not do a system restore since the virus infected to restore files.
Windows update was also not working.
This is what I did:
1. Download the latest Windows Malicious Software Removal Tool at hxxp://www.microsoft.com/downloads/en/default.aspx
run the tool. restart computer.
2. Since windows update wasn’t working I opened up a support ticket at hxxp://support.microsoft.com/ph/6527/en-us/#tab0
click contact a support professional by email. They helped me through the process until I was able to download all the critical security updates I missed.
3. Run a full free PC scan at hxxp://onecare.live.com/site/en-us/default.htm
follow instuctions after scan.
4. Download Microsoft Security Essentials from same website.
5. Disable all anti-virus/spyware programs and run Microsoft Security Essentials complete scan.
6. Repeat steps 3 and 5 until all infections are removed.
I got the virus aswell i just ran avg twice it found some virus and removed them but the main virus was still there ran malwarebytes which i already had on my computer and it found 100 more on top of it and fixed it all the virus is gone as far as i tell, surprised it did way better then avg free:0
I re-installed my operating system (xp) and it’s fine now – tried everything else beforehand.
I got infected by the Cryptor virus the other day. It significantly deteriorated the performance of my pc- to the point it was maxing my CPU useage to 100% and taking 10 minutes to load any program. This virus really is very destructive and dangerous.
AVG spotted the virus after a manual deep scan (rather than a quick daily scan), removed 141 infected files, but couldn’t clean/remove or quarantine a further 4 infected files. I rebooted my machine and sure enough, the virus was back in all its glory.
I tried running Spyware Search and Destroy, but the virus wouldn’t let the program load or update. I read the above posts and downloaded malwarebytes for free.
The virus prevented me from downloading and running malwarebytes on my machine directly, so I downloaded it from an uninfected machine, saved the .exe file to a memory stick and attempted to run it on my machine.
Again, the virus was clever and wouldn’t let me run the install file on my machine. After reading some more on here, I renamed the .exe file to mbamm.exe and it still wouldn’t run!
I’m guessing the version of the virus I received was a more updated version than others received above. I completely renamed the install file to installme.exe and booted the computer in safe mode.
After I booted in safe mode, the install file managed to install onto my machine without any probs. I did the updates as suggested and ran the program. It found all my infected files, removed them and solved the problem.
I’m now Cryptor virus free! Thanks for all your help and a special gratitude goes to the makers of malwarebytes!
I had this little blighter today – tried to virsu scan AVG9, got part way but was taking ages, cpu 100%, each object was taking several seconds to scan, so after about 8hours of scanning I aborted and rolled back with system restore – updated AVG, scanned clean, CPU back to normal.
System Restore is such a useful tool – I’d recommend setting it up on every new computer before connecting it to a router and setting it up to automatically set restore points – it’s got me out of a load of holes over the years – do it now!!
malwarebytes does indeed bite,,bites the big one! i had this virus and had to use trusty avast 4.8 NOT 5.0 <that one sucks! worse then s h i t t y avg, anyhow dont use s h i t warebytes is suck knobs! use avast you'll thank me !
Any Response?
Can't Find a Solution?
Start a Discussion Here!