Win32/Cryptor Virus explorer.exe and svchostx

Dell / LATITUDE
May 3, 2009 at 14:50:33
Specs: Windows XP w/ service pack 2
Hi,

Last week my laptop got infected with Win32/Cryptor virus (I guess).

I installed AVG and it found this error but it says it can not heal explorer.exe and svchost.exe

Can someone please help and guide me how I could get rid of this virus.

I appreicate your help.

Thanks,
Valen


Results of the AVG Scan:
"\\?\globalroot\systemroot\system32\UACbqjcaoowrxusysh.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACbqjcaoowrxusysh.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACbqjcaoowrxusysh.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACbqjcaoowrxusysh.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACcyyollydvpyxjhl.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACcyyollydvpyxjhl.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACcyyollydvpyxjhl.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACcyyollydvpyxjhl.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"\\?\globalroot\systemroot\system32\UACcyyollydvpyxjhl.dll";"Virus found Win32/Cryptor";"Moved to Virus Vault"
"C:\WINDOWS\explorer.exe (3736)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (612)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (660)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (696)";"Virus found Win32/Cryptor";""
"C:\WINDOWS\system32\svchost.exe (832)";"Virus found Win32/Cryptor";""


See More: Win32/Cryptor Virus explorer.exe and svchostx

Report •


#1
May 12, 2009 at 11:31:43
win32/cryptor FIXED! Solved! For me anyway...

A friend gave me his lappie to sort out. It had a free Norton antivirus compliments of Google Pack but it wasnt updating or uninstalling properly. Another problem was that on every reboot Google Updater complained of an error and shut down. And I couldn't un-install or re-install it properly either.

I downloaded and ran the latest AVG free. AVG even in safe or DOS mode was no good. It could see Cryptor but not delete it. I loaded spybot search and destroy, it seemed to install but would not actually load up properly although I got the tray icon.


I Googled win32/cryptor and somebody suggested Malwarebytes Anti-Malware. As I'd never heard of it I Googled that! I wouldnt want it to be another Antivirus 2009!

Download.com and Major Geeks were offering it so I thought it likely to be legit.

Downloaded it and then ran it, nothing... Downloaded from a second site, still nothing so more Googling. It was suggested that I rename the install file. Guess what it then installed! I did a reboot then ran the program, again nothing.
Just on a hunch I renamed the following executable file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe to mbamm.exe. Dont forget to let it go get the latest updates.

That did the trick! 10 minutes later all trace of Cryptor was gone. I rebooted then scanned with AVG which found nothing more than a few cookies. An Ad-Aware scan then turned up a load more cookies.

Chances are that renaming the appropriate Spybot exe file would have done the trick. If there is more than one executable in the directory take a look at the properties of the Start button Spybot link. That usually tells you which one you need to tinker with. Google seems to be behaving too.

The virus was clever enough to block certain executables by name. As soon as it didn't recognise the name it was possible to remove it.

Good Luck

DominicO
London


Report •

#2
May 12, 2009 at 13:50:49
win32/cryptor FIXED! Solved! For me anyway...

A friend gave me his lappie to sort out. It had a free Norton antivirus compliments of Google Pack but it wasnt updating or uninstalling properly. Another problem was that on every reboot Google Updater complained of an error and shut down. And I couldn't un-install or re-install it properly either.

I downloaded and ran the latest AVG free. AVG even in safe or DOS mode was no good. It could see Cryptor but not delete it. I loaded spybot search and destroy, it seemed to install but would not actually load up properly although I got the tray icon.


I Googled win32/cryptor and somebody suggested Malwarebytes Anti-Malware. As I'd never heard of it I Googled that! I wouldnt want it to be another Antivirus 2009!

Download.com and Major Geeks were offering it so I thought it likely to be legit.

Downloaded it and then ran it, nothing... Downloaded from a second site, still nothing so more Googling. It was suggested that I rename the install file. Guess what it then installed! I did a reboot then ran the program, again nothing.
Just on a hunch I renamed the following executable file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe to mbamm.exe. Dont forget to let it go get the latest updates.

That did the trick! 10 minutes later all trace of Cryptor was gone. I rebooted then scanned with AVG which found nothing more than a few cookies. An Ad-Aware scan then turned up a load more cookies.

Chances are that renaming the appropriate Spybot exe file would have done the trick. If there is more than one executable in the directory take a look at the properties of the Start button Spybot link. That usually tells you which one you need to tinker with. Google seems to be behaving too.

The virus was clever enough to block certain executables by name. As soon as it didn't recognise the name it was possible to remove it.

Good Luck

DominicO
London


Report •

#3
May 12, 2009 at 15:46:52
win32/cryptor FIXED! Solved! For me anyway...

A friend gave me his lappie to sort out. It had a free Norton antivirus compliments of Google Pack but it wasnt updating or uninstalling properly. Another problem was that on every reboot Google Updater complained of an error and shut down. And I couldn't un-install or re-install it properly either.

I downloaded and ran the latest AVG free. AVG even in safe or DOS mode was no good. It could see Cryptor but not delete it. I loaded spybot search and destroy, it seemed to install but would not actually load up properly although I got the tray icon.


I Googled win32/cryptor and somebody suggested Malwarebytes Anti-Malware. As I'd never heard of it I Googled that! I wouldnt want it to be another Antivirus 2009!

Download.com and Major Geeks were offering it so I thought it likely to be legit.

Downloaded it and then ran it, nothing... Downloaded from a second site, still nothing so more Googling. It was suggested that I rename the install file. Guess what it then installed! I did a reboot then ran the program, again nothing.
Just on a hunch I renamed the following executable file C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe to mbamm.exe. Dont forget to let it go get the latest updates.

That did the trick! 10 minutes later all trace of Cryptor was gone. I rebooted then scanned with AVG which found nothing more than a few cookies. An Ad-Aware scan then turned up a load more cookies.

Chances are that renaming the appropriate Spybot exe file would have done the trick. If there is more than one executable in the directory take a look at the properties of the Start button Spybot link. That usually tells you which one you need to tinker with. Google seems to be behaving too.

The virus was clever enough to block certain executables by name. As soon as it didn't recognise the name it was possible to remove it.

Good Luck

DominicO
London


Report •

Related Solutions

#4
May 21, 2009 at 01:51:51
THANKYOU Dom. I've encountered this exact virus on two different machines over the past 2 weeks. After many hours of beating my head against a wall, I gave up & did a full system restore on the first one, (from a different boot partition, as not only does this awful virus block spypot & malwarebytes, unless renamed as specified above, but it also blocks the windows system restore program!) On the second machine I was about to punt again, after *trying to rename* mbam.exe to "Copy of mbam.exe"... didn't work. Dominic is right on... renaming to something a bit less like mbam.exe did the trick... the program fired up (I actually already had it installed,) and is chugging away. AVG found it in my case too, but couldn't move/heal/delete the three critical files it infected, vis explorer.exe, svchost.exe, iexplore.exe. Nice work Dominic. Eric. Chicago, IL

Report •

#5
May 21, 2009 at 01:56:41
Ahh... more on the cause... The first guy clicked on a banner to download "Anti spyware 2009", and the second *paid $50 by credit card* for the same fraudulent, incredibly malicioius piece of nuclear trash. Be EXTREMELY cautious of any utility software or anti-anything software you download & install. Get it from the author's site if possible, and don't even think of trying anything that's not recommended by someone "who knows." Surf safe. Eric. (Chicago, IL)

Report •

#6
May 30, 2009 at 19:18:17
THANK YOU Everyone who has posted here.
My 12 yrs old daughter inadvertingly infected my laptop with this virus on May 19th by clicking on the Anti Virus 2009 scare notice.

AVG sees it, but can not fix or heal it. I recently found this site and have tried the fixes suggested. I too could not do a system restore with windows or launch spypot or malwarebytes. I then tried renaming the exe files in both applications and they launch for an instant, but then are shut down. A friend has suggested that perhaps I have a more recent version of this vile Cryptor virus and the bad guys have "fixed" it to recognize what's being launched, rather than the name of the file. Any thoughts? Has anyone else not been able to launch spybot or malwarebytes by renaming them. I would be most grateful for any suggestions as my laptop is useless now and I don't have a system restore disk for it as I purchased it used from a local computer parts store. Thank you very much for your assistance in advance. Regards, John San Miguel


Report •

#7
May 30, 2009 at 19:24:05
Create your own post if you need help.

-------------------------------------------------


Report •

#8
June 20, 2009 at 11:26:00
Many MANY thanks to DominicO for explaining this -- I have
saved an immense headache by cleaning up the machine
without having to restore. Unbelievable that Cryptor would
constantly re-infect iexplore.exe and svchost.exe after AVG
and other cleanups and even more unbelievable that it would
prevent Malwarebytes from installing or loading. After I
renamed the setup file with my own file name, it installed.
Once the program was installed, I renamed mbam.exe to
another file name and it worked. Great!

Report •

#9
July 17, 2009 at 06:48:03
Help!
I cant find any mbam.exe in c/programfiles/malwarebytes to re-name! I've 'searched' and it offered me mbam there and also mbam.exe in something called c/windows/prefetch ?? renaming these did nothing.

Report •


Ask Question