tag:blogger.com,1999:blog-1585105787473796476.post3451056318015748316..comments2024-03-27T11:13:25.958+00:00Comments on keyliner.blogspot.com: Removing Win32/Cryptor Virustraywolfhttp://www.blogger.com/profile/06205565591880314520noreply@blogger.comBlogger13125tag:blogger.com,1999:blog-1585105787473796476.post-57926646361862164482010-04-23T06:06:37.830+01:002010-04-23T06:06:37.830+01:00The author writes: I have updated this article wit...The author writes: I have updated this article with (hopefully) more streamlined steps. I had the chance to use these same steps for another infected machine and I was again successful. Bad surfing habits...traywolfhttps://www.blogger.com/profile/06205565591880314520noreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-71398856823686327072010-03-16T16:22:29.524+00:002010-03-16T16:22:29.524+00:00Wow it works. I blundered through your procedure i...Wow it works. I blundered through your procedure in my usual inept way with some stages not 100% as you suggested but I carried on regardless and I seem to have a clean machine again. Excellent procedure. Nice work and thanks. Dave.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-62786908480035420232010-01-22T06:16:47.457+00:002010-01-22T06:16:47.457+00:00JD: Without an internet connection, you will neve...JD: Without an internet connection, you will never get the virus cleaned. From another computer, download (and expand) all needed software; then Burn to CD (not a thumbdrive).<br /><br />Try running all cleanup steps from the CD -- this might even be a safer way to clean all viruses because the virus can't monkey with the other programs. <br /><br />I'll experiment with this idea in the future.traywolfhttps://www.blogger.com/profile/06205565591880314520noreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-38960627946457406912010-01-21T18:26:28.292+00:002010-01-21T18:26:28.292+00:00Fantastic. Took one afternoon in total and followe...Fantastic. Took one afternoon in total and followed every step to the letter - success!<br /><br />First class, thank you.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-51993822884098080892009-12-17T04:46:18.354+00:002009-12-17T04:46:18.354+00:00Anonymous (ProcessExplorer): I believe the latest...Anonymous (ProcessExplorer): I believe the latest versions of Cryptor use legitimate-sounding names; check the list carefully. <br /><br />If still not found, I suppose you could continue with the remaining steps. If the virus is still installed, it won't let MalawareBytes even load -- if this happens, this is your hint to look at Process Explorer more carefully. If you are still stuck, send me a screenshot (see About) on the right-side of this blog.traywolfhttps://www.blogger.com/profile/06205565591880314520noreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-82862228330589492392009-12-16T18:31:17.111+00:002009-12-16T18:31:17.111+00:00I'm going through the steps to remove the cryp...I'm going through the steps to remove the cryptor virus on my other computer. I've downloaded and run Process Explorer, but I don't see anything in the explorer.exe section that I can't identify as a valid process. What now? Should I go ahead and download RootRepeal and continue from there?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-55978669130402932312009-11-10T05:29:10.521+00:002009-11-10T05:29:10.521+00:00By chance, my Nephew's computer was infected w...By chance, my Nephew's computer was infected with a different rootkit: Win32/Vundo.B and Win32/Vundo.Gen.G. <br /><br />These steps also cleaned the virus. Of interest, Microsoft's new MSE detected the viruses, but hung the computer when it tried to clean them - indicating it probably would have prevented the infection if it were installed pre-virus.... but the cleanup failure was disheartening. <br /><br />(Sadly, MSE also failed to detect Trojan.FakeAlert and Adware,MyWebSearch)<br /><br />With the Vundo.B, It took a lot of coaxing to get MalwareBytes to run and I've enhanced the steps above to account for this. Once again, Malware saved the day. I wonder how their real-time scanner works?traywolfhttps://www.blogger.com/profile/06205565591880314520noreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-58969623542314787862009-09-11T15:15:51.264+01:002009-09-11T15:15:51.264+01:00Nice work Tim! Thank you for the info and time spe...Nice work Tim! Thank you for the info and time spent on this. I was on the verge of admitting defeat until I ran across your post. It worked like a champ! Much Kudos to you Sir. I'd never used RootRepeal before, nice little program! On a side note, I also wiped the UACxxxxxxxxx.dll's that were hidden in the windows\system32\drivers folder. Something else I ran across was that Corel Suite 8 has some hidden UACxxx files that I left alone. After an AVG, a SuperAntiSpyware, Malwarebytes, and IO Bits Security 360 scans, the PC is looking clean. One other thing I was considering is trying AVAST home edition and scheduling a boot scan. I found that works well on infections. Thanks again!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-45611128538602637662009-09-10T01:27:16.601+01:002009-09-10T01:27:16.601+01:00Would just like to say that process works, to anyo...Would just like to say that process works, to anyone wondering. It took me the better part of a day in all to get through everything. But, as far as I know, it has fixed all the issues related to this. Kudos to whosoever figured this out. Normally I take care of viruses/trojans/worms/whatever on my own. But this one was particularly resilient. Don't take shortcuts, it's a pain in the ass.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-83028053899028539202009-09-07T22:12:27.867+01:002009-09-07T22:12:27.867+01:00Tim, I followed your instructions to the letter. ...Tim, I followed your instructions to the letter. Yes it did take quite awhile (as you indicated it would), but the advice was well worth the effort. This was a particularly nasty program that thwarted the usual deletion efforts. Still not sure how it first got into the system, but with teenagers, anything is possible. My thanks for sharing the fruits of your labor with the rest of us!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-72703422714868091922009-08-09T03:27:38.629+01:002009-08-09T03:27:38.629+01:00Thank you for the response. Just to wrap up the s...Thank you for the response. Just to wrap up the story, my brother ended up running Spybot - Search and Destroy followed by AVG, and this seems to have gotten rid of the virus. Malware installed but even after renaming, I could never get it to actually run. <br /><br />A external backup drive is definitely in the works.<br /><br />Cheers,teabaghttps://www.blogger.com/profile/08207956528901091046noreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-35479769276918375382009-08-05T06:44:53.779+01:002009-08-05T06:44:53.779+01:00Response to Teabag:
System Restore Not working: No...Response to Teabag:<br />System Restore Not working: No real surprise and I hope my article expressed my lack of faith in that step. In any case, it couldn't hurt to run it. More on this in a moment.<br /><br />The HDsdpapp is an HP Printer program that can be removed. If you are familiar with the registry, remove it at this key<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br /><br />or Start, Run MSConfig and remove it from the startup files. If you are curious, HP has this article about this program. It appears their program may be malfunctioning, and this is another reason to remove it.<br /><br />From your email, I was unsure is Malware bytes ran successfully or not (you implied it ran but did not find the HP file.... If it ran successfully and didn't find anything else to clean, then this would be good news. Not knowing the exact order you ran your steps, the System Restore may have returned many infected files back to a non-infected state and other anti-virus steps may have cleaned other files. All of this might explain why it did not find this same file (or others). Again, this would be good news. Also, if the virus program updated themselves, they may have removed a false-positive.<br /><br />Knowing when the viruses are fully removed is tricky and this is why my article recommends running multiple different programs. Confirm each program is up-to-date and try running AVG again. If all report no problems, then you may be done. <br /><br />Write me again with more details, if needed.<br /><br />Once you get the machine cleaned, consider an external USB backup drive<br />See my previous article: Maxtor USB Drive<br /><br />or more sophisticated software, such as Acronis vs Ghost. (Sorry I can't link to these in this message)traywolfhttps://www.blogger.com/profile/06205565591880314520noreply@blogger.comtag:blogger.com,1999:blog-1585105787473796476.post-39952087009428531232009-08-05T05:11:56.116+01:002009-08-05T05:11:56.116+01:00Hi,
This is a request for some advice (or a mirac...Hi,<br /><br />This is a request for some advice (or a miracle would be great too).<br /><br />I ran avg first because I hadn't found this post. It it found 100 infected files, 3 of which were spyware and 97 of which were viruses. Avg removed the spyware and 3 of the virally infected files but I couldn't get it to remove the other 94 infected files.<br /><br />At this point I found your post.<br /><br />I tried system restore, which didn't work.<br /><br />I then proceeded to download and run Malicious Software Removal Tool which found and got rid of one virus.<br /><br />I skipped the AVG run because I had done it previously.<br /><br />I downloaded, renamed, and ran the Malwarebytes file. During installation it tried to find:<br />C:\SWSETUP\EISU\HpSdpApp\<br />but couldn't because it was supposedly on a network resource that was unavailable, but it somehow finish installing without it.<br /><br />The .exe files were renamed and I tried running but then it tried and failed to find the same file as above. So now I'm stuck. Can you recommend a next step?<br /><br />Thanks,teabaghttps://www.blogger.com/profile/08207956528901091046noreply@blogger.com