How to remove CrySome from infected devices

What kind of malware is CrySome?

CrySome is a remote access Trojan (RAT) that lets cybercriminals take control of an infected device. This RAT can steal files and passwords, spy on activity, and run commands remotely. What makes CrySome even more serious threat is that it can hide itself, disable antivirus software, and stay on the system even after resets or removal attempts.

More about CrySome

Once CrySome connects to its server, it sends information about the infected device. Transmitted details include the computer's username, operating system version, time since boot, and country/region. It also sends the title of the window the user is currently using (without enabling remote session).

Then, the RAT sets up an infected system to receive commands. Some basic features are always active, while others can be turned on or off depending on settings. CrySome supports a wide range of commands, allowing cybercriminals to engage in various malicious activities.

It can run shell/PowerShell commands, download and run files, upload and download files, browse, read, and delete files, take screenshots, force the system to reboot, list or kill running programs, take pictures with the webcam, and access (and use) the microphone. CrySome can also enable direct messaging between cybercriminals and victims.

Furthermore, the RAT can create SOCKS/reverse proxy tunnels for hidden network access, view screens, control mouse and keyboard, manage multiple monitors, secretly control a hidden user session, and run apps invisibly, steal saved browser passwords and cookies, and record everything typed with a keyboard.

Persistence and defense evasion

CrySome creates a scheduled task to relaunch itself every few minutes and plants itself as a Windows service that starts at boot and restarts if it crashes. It copies itself into hidden backup folders so it can recover if deleted and adds registry entries so it runs automatically when Windows starts. The RAT can modify certain system files to remain even after factory resets.

Furthermore, CrySome hides its files and locks them so they cannot be deleted, and runs a "watcher" process that restarts it if stopped. It can mark itself as a critical system process and block security tools from accessing or stopping it.

Additionally, the RAT finds and kills antivirus processes, blocks antivirus installation files, stops antivirus services and prevents them from restarting, and disables Microsoft Defender features (such as real-time protection, cloud protection, scanning, etc.). It can also block security programs from launching at all.

Conclusion

CrySome gives attackers control over an infected device and allows them to steal data, spy on users, and perform many malicious actions remotely. It is designed to stay hidden and keep running by using strong persistence methods that make it hard to remove, even after restarts or system resets. Thesce capabilities make it a dangerous threat.

More examples of RATs are GHOSTFORM, KarstoRAT, and Moonrise.

How did CrySome infiltrate my computer?

Malicious software such as CrySome is commonly delivered via infected files, including executables, compressed files, scripts, and documents such as PDFs and Office files. Simply opening these files or taking additional steps can trigger an infection.

Cybercriminals use various distribution methods to spread malware, including email attachments or links, fake software downloads, security vulnerabilities, fraudulent tech support messages, malicious or hacked websites, pirated or cracked software, deceptive ads, infected removable drives, peer-to-peer sharing platforms, and third-party downloaders.

How to avoid installation of malware?

Only open links or attachments from trusted sources, and be cautious with unexpected emails or messages, especially if they come from unknown senders. Make sure to download apps and software only from official websites or verified app stores, and avoid using cracked programs, pirated software, or key generators.

Keep your operating system and all applications up to date, and avoid interacting with ads, pop-ups, or other content on untrusted websites. Additionally, to avoid agreeing to get notifications from shady pages.

If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

Website promoting CrySome (source: cyfirma.com):

Crysome's admin panel (source: cyfirma.com):

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is CrySome?
• STEP 1. Manual removal of CrySome malware.
• STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My computer is infected with CrySome malware, should I format my storage device to get rid of it?

While a full reset can remove CrySome, it will wipe all files from the system. In most cases, using a reputable security program such as Combo Cleaner should be tried first.

What are the biggest issues that malware can cause?

Malware can corrupt or delete files, inject additional malware, spy on victims, and more. This can lead to severe outcomes such as financial damage, data and identity theft, unauthorized account access, data loss, and other serious problems.

What is the purpose of CrySome RAT?

CrySome RAT is designed to secretly spy on users by accessing the screen, webcam, microphone, and system activity. It can also steal sensitive data like passwords, files, cookies, and system information. At the same time, it gives attackers full remote control of the device while staying hidden and disabling security tools.

How did a malware infiltrate my computer?

Malware is commonly delivered through malicious executables, archives, scripts, and documents, which can infect a device when opened or run. Cybercriminals use malicious websites, phishing emails with attachments or links, fake tech support scams, software flaws, cracked programs, harmful online ads, infected USB drives, peer-to-peer sharing networks, and untrusted third-party download sources to deliver malware.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner is capable of finding and removing most known malware infections. However, some advanced threats can be deeply hidden in the system, so running a complete system scan is important to ensure full detection.