How To Remove W32/Cryptor and Replace Infected SYS files

A client named Patty brought over her laptop today and said her AVG detected a virus that it couldn’t remove.  I booted the laptop up and within 10 minutes AVG had detected w32/cryptor.  w32/Cyrptor is identified by AVG as malware and usually patches a system file (like atapi.sys).  It’s got rootkit capabilities which prevent it from being removed while Windows is booted and running.  

Getting rid of w32/Cryptor can be a bit difficult for the average user.  Here’s how to remove it.  This example assumes you have a .sys file infected with w32/Cryptor and you can’t remove it with AVG.

What You’ll Need To Remove w32 Cryptor (my way)

  • First, try to find out which .sys file is infected.  You’ll need a clean copy of that file.  You can get this off your windows install disc.  If the file is named something like atapi.sy_ then you’ll need to decompress it first (run expand.exe to decompress it).
  • Create a Kaspersky Rescue Disk (USB).  Here’s how.  After the KRD has been loaded on your USB stick create another folder on the stick called sysfiles.  Put clean copies of the infected .sys files here.
  1. Boot the infected PC to the Kaspersky Rescue USB Disk.
  2. Update the databases.
  3. Scan bootsectors and the C:\ drive.  If malware is encountered first try to disinfect, if that doesn’t work then quarantine, if that doesn’t work then delete.
  4. Chances are w32/Cryptor has been found and successfully disinfected….however if it couldn’t be disinfected then you’ll need to go to c:\windows\system32\drivers and rename the .sys file to .sys.old.  For example atapi.sys would be renamed to atapi.sys.old if it was infected.  Navigate to the custom folder you just created (sysfiles) with the clean copy(s) of the .sys files.  Copy the .sys files from that folder to c:\Windows\system32\drivers.
  5. Reboot.
  6. Perform follow up full scan with Malwarebytes.
  7. Consider reinstalling your Antivirus or Switching to Kaspersky Internet Security.

I realize the above instructions are sorta simplified, so I’ll make a video on how to do this step-by-step.

2 Responses to How To Remove W32/Cryptor and Replace Infected SYS files

  1. MHazell June 17, 2012 at 3:00 am #

    Any better results with MSE?

    P.S. Have you heard of Disqus 2012 yet? It just came out to the general public, out of beta testing. I was a beta tester.

    http://www.disqus.com

  2. Ssz June 18, 2012 at 6:39 am #

    Can’t you remove that with AVG rescue cd

Leave a Reply