To completely find and remove the W32/Kriz virus (also known as Win32.Kriz), you must intercept the virus before Windows loads, clean the infected files, and manually replace your core Kernel32.dll system file.
Because W32/Kriz is a highly destructive, memory-resident virus that overwrites core Windows files and attempts to erase your BIOS and hard drive on December 25th, standard removal while Windows is active will not work. The virus actively blocks its own deletion and reinfects files as you scan. Phase 1: Finding and Isolating the Virus
Check for Symptoms: Look for sudden system instability, unknown applications crashing, or your security software alerting you to modified PE (.exe) files.
Identify Injected Files: The virus primarily targets and modifies your Kernel32.dll file, saving a copy of it as KRIZED.TT6 in the system directory, and modifies WININIT.INI to overwrite the clean file on reboot.
Disconnect from Networks: Unplug your internet and local network cables immediately. Kriz can actively spread across mapped network drives and shared folders. Phase 2: Removing the Virus Completely
Since the virus resides in the system memory and hooks into Windows processes, you must disinfect the machine from an environment outside of the infected Windows operating system.
┌────────────────────────────────────────────────────────┐ │ Step 1: Boot into Clean Environment (Rescue USB/DOS) │ └───────────────────────────┬────────────────────────────┘ ▼ ┌────────────────────────────────────────────────────────┐ │ Step 2: Run Offline/Boot-Time Antivirus Engine │ └───────────────────────────┬────────────────────────────┘ ▼ ┌────────────────────────────────────────────────────────┐ │ Step 3: Manually Replace Infected Kernel32.dll File │ └───────────────────────────┬────────────────────────────┘ ▼ ┌────────────────────────────────────────────────────────┐ │ Step 4: Clean Registry and Clear System Restore │ └────────────────────────────────────────────────────────┘ 1. Boot into a Clean Environment
Do not boot into normal Windows. Instead, use a different, uninfected computer to download a bootable antivirus utility. Symantec warns of W32.Kriz computer virus – ProQuest
Leave a Reply