A client named Patty brought over her laptop today and said her AVG detected a virus that it couldn’t remove. I booted the laptop up and within 10 minutes AVG had detected w32/cryptor. w32/Cyrptor is identified by AVG as malware and usually patches a system file (like atapi.sys). It’s got rootkit capabilities which prevent it from being removed while Windows is booted and running.
Getting rid of w32/Cryptor can be a bit difficult for the average user. Here’s how to remove it. This example assumes you have a .sys file infected with w32/Cryptor and you can’t remove it with AVG.
What You’ll Need To Remove w32 Cryptor (my way)
- First, try to find out which .sys file is infected. You’ll need a clean copy of that file. You can get this off your windows install disc. If the file is named something like atapi.sy_ then you’ll need to decompress it first (run expand.exe to decompress it).
- Create a Kaspersky Rescue Disk (USB). Here’s how. After the KRD has been loaded on your USB stick create another folder on the stick called sysfiles. Put clean copies of the infected .sys files here.
- Boot the infected PC to the Kaspersky Rescue USB Disk.
- Update the databases.
- Scan bootsectors and the C:\ drive. If malware is encountered first try to disinfect, if that doesn’t work then quarantine, if that doesn’t work then delete.
- Chances are w32/Cryptor has been found and successfully disinfected….however if it couldn’t be disinfected then you’ll need to go to c:\windows\system32\drivers and rename the .sys file to .sys.old. For example atapi.sys would be renamed to atapi.sys.old if it was infected. Navigate to the custom folder you just created (sysfiles) with the clean copy(s) of the .sys files. Copy the .sys files from that folder to c:\Windows\system32\drivers.
- Perform follow up full scan with Malwarebytes.
- Consider reinstalling your Antivirus or Switching to Kaspersky Internet Security.
I realize the above instructions are sorta simplified, so I’ll make a video on how to do this step-by-step.