No Action Possible Trojan.cryptredol.gen.2

ironstorm888

Howdy

I did a full system scan about 4 days ago, and i found out i had around 40 infections all with the same name Trojan.Crypt.Redol.Gen.3 and no action was possible, so i can downloaded a bunch of other free scanners, one of them was adaware which found win32TrojanAgent and win32TrojanSpy, it successfully removed both of them when i scanned my computer with bitdefender again i found out i now have 38 infections with the same name Trojan.CryptRedol.Gen.2

I have no idea how 40 infections of Trojan.CryptRedol.Gen.3 went to 38 infections of Trojan.CryptRedol.Gen.2 when the scan was done bitdefender could not remove Trojan.CryptRedol.Gen.2 infections it gave me this as the location

\\?\globalroot\systemroot\system32\geyekrjvrcpam.dll (for all 38) not sure if that helps

Alex Stanciu

Hello Tommy Guns ,

Please follow the next link:http://kb.bitdefender.com/KB490-br--The-sy...s-infected.html and run the Avis and the Gmer tools. Upload the resulting reports together with the scan report that you have run with BitDefender here : http://www.sendspace.com/ and post the download link(s) .

Thank you .

ironstorm888

the link to aviz and gmer work, however when i try to download them, they both say that the link appears to be broken

Alex Stanciu

the link to aviz and gmer work, however when i try to download them, they both say that the link appears to be broken

Hello Tommy Guns ,

The download links from our website appears to work normally . I have uploaded the tools at the following link:http://www.sendspace.com/file/4i85xh . Run them and post here the download link with the results .

Thank you .

ironstorm888

Thanks for the help so far, here are the links

gmer = http://fs08u.sendspace.com/processupload.html

aviz = http://fs04u.sendspace.com/processupload.html

ironstorm888

if its still needed i'll post the bitdefender scan results tonight.

ironstorm888

Just did scan with BitDefender, here is the link to the log

http://fs11u.sendspace.com/processupload.html

ironstorm888

erm.. any help would be appreciated

Alex Stanciu

Hello Tommy Guns ,

Unfortuantely the download links provided are not complete. We have sent you an email and we would like you to reply with the reports that we need attached.

Thank you .

baggiebird

Is there a fix for this yet, I have the same problem with 58 detections

Alex Stanciu

Hello baggiebird ,

In order to be able to help you , please upload your scan report , an Avis and a Gmer log on :http://www.sendspace.com/ then post here the download links .

Thank you .

ewirjadi

I am having the same problem with no possible solution. Please advise.

AVIS

http://www.sendspace.com/file/tf1n1e

GMER

http://www.sendspace.com/file/q8j3d8

BitDefender Log

http://www.sendspace.com/file/01rlle

Alex Stanciu

Hello ewirjadi ,

We have sent you an email with the steps that will help you retrieve us a sample , with the file detected as infected by BitDefender . Please reply when you have time .

Thank you .

kalp84

Hi,

I'm having the same problem with about 80 infections. (The exact number seems to change from scan to scan, anywhere between 79 and 84.) I tried installing a trial version of Kaspersky and turning off BitDefender temporarily, but Kaspersky caused some problems on reboot and not all the components worked correctly, so I turned BitDefender back on again.

I have uploaded the following reports:

BitDefender log: http://www.sendspace.com/file/v9emxo

AVIS log: http://www.sendspace.com/file/ev18nt

GMER log: http://www.sendspace.com/file/davqsx

Thank you for any help you can provide.

Kronix420

I've been fighting this infection for several days now to no avail.. The infection doesn't seem to affect my system all that much other than random lag spikes, and redirecting me when I click links on google... But it is very annoying and I hate being infected. I've tried scanning in safe mode, running a deep scan, and following some instructions you guys have given to others, but nothing works..

The infection is called "Trojan.CryptRedol.Gen.2" & "Trojan.CryptRedol.Gen.3"

---

Here's my latest Log File:

BitDefender Log File

Product : BitDefender Internet Security 2009

Version : BitDefender UIScanner v.12

Scanning task : Deep System Scan

Log date : 7/27/2009 10:29:00 PM

Log path : C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\deep_scan\1248748140_3_02.xml

Scan Paths:Path 0000: C:\

Scan Options:Scan for viruses : Yes

Scan for adware : Yes

Scan for spyware : Yes

Scan for applications : Yes

Scan for dialers : Yes

Scan for rootkits : Yes

Target Selection Options:Scan registry keys : Yes

Scan cookies : Yes

Scan boot sectors : Yes

Scan memory processes : Yes

Scan archives : Yes

Scan runtime packers : Yes

Scan emails : No

Scan all files : Yes

Heuristic Scan : Yes

Scanned extensions :

Excluded extensions :

Target Processing:Default action for infected objects : Disinfect

Default action for suspicious objects : None

Default action for hidden objects : None

Default action for encrypted infected objects : None

Default action for encrypted suspicious objects : None

Default action for password-protected objects : Log as not scanned

Scan engines summaryNumber of virus signatures : 3850203

Archive plugins : 44

Email plugins : 6

Scan plugins : 13

System plugins : 5

Unpack plugins : 7

Overall scan summaryScanned items : 34173

Infected items : 29

Suspicious items : 0

Resolved items : 0

Unresolved items : 29

Password-protected items : 0

Overcompressed items : 0

Individual viruses found : 29

Scanned directories : 470

Scanned boot sectors : 0

Scanned archives : 400

Input-output errors : 3

Scan time : 00:07:59

Files per second : 69

Scanned processes summaryScanned : 31

Infected : 0

Scanned registry keys summaryScanned : 833

Infected : 0

Scanned cookies summaryScanned : 11

Infected : 0

Remaining issues:Object Name Threat Name Final Status

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

\\?\globalroot\systemroot\system32\hjgruivyxviqmu.dll Trojan.CryptRedol.Gen.2 Disinfect Failed

and here's my HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:24:01 PM, on 7/27/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 SP3 (7.00.6000.20935)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\BitDefender\BitDefender 2009\seccenter.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\System32\TUProgSt.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\BitDefender\BitDefender 2009\uiscan.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2009\IEToolbar.dll

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\BitDefender\BitDefender 2009\bdagent.exe"

O4 - HKLM\..\Run: [bitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2009\IEShow.exe"

O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone (HKLM)

O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone (HKLM)

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1246467546140

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Box_NTR v2.6A (.bntr) - Unknown owner - C:\Documents and Settings\All Users\Application Data\Norton\bntr.exe

O23 - Service: BitDefender Arrakis Server (Arrakis3) - BitDefender S.R.L. http://www.bitdefender.com - C:\Program Files\Common Files\BitDefender\BitDefender Arrakis Server\bin\Arrakis3.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: McAfee Real-time Scanner (McShield) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe

O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S. R. L. - C:\Program Files\BitDefender\BitDefender 2009\vsserv.exe

--

End of file - 6097 bytes

Thanks in advance for any help you guys can provide.

Kronix420

I've downloaded and ran AVIS and Gmer as you guys have requested someone else with a similar problem to do, and uploaded to sendspace so here are the logs from those apps:

http://www.sendspace.com/file/pwyktg

Kronix420

I'm having the same problem. I've posted my BitDefender, HijackThis, AVIS, and GMER logs here: http://forum.bitdefender.com/index.php?showtopic=14728

Any help at all would be appreciated. I've been having a he|| of a time getting rid of this trojan.. and I've never had this much trouble with any virus before in my life.. It's a douzie.

tcdwyer

Hi i am alson having issues with this virus, bitdefender tells me there is no action possible

i have uploaded the 3 logs to the following link: http://www.sendspace.com/file/31p7lg

any assistance would be greatly appreciated

Alex Stanciu

Hello just_coll and Nathan Fleck ,

We have forwarded the reports submitted to my colleagues from the Virus Analysis team . Until we receive a response from them we recommend you to follow the steps bellow and try to run a scan and delete the infections using our Rescue Cd . Here is what you have to do :

1. Boot the computer using the Rescue CD;

2. Allow BitDefender to perform a scan;

3. Go to the mounted partition (the Hard Disk Part. icon) then browse and delete the items detected as infected by the BitDefender scan by right clicking then selecting "Delete" from the File/Dir submenu.

In order to check whether the virus removal procedure has succeeded, we recommend another complete scan of your computer with BitDefender (from the Windows environment).

[how to CREATE A RESCUE CD]

In order to create the BitDefender Rescue CD you have to first download the latest image (the .iso file) from:

<a href="http://download.bitdefender.com/rescue_cd/" target="_blank">http://download.bitdefender.com/rescue_cd/ </a>and burn it on a CD or DVD using a tool of your choice;

The freeware ISO Burner can be used to create the disc (save and extract the tool to a location of your choice, start IsoBurner.exe, if not already set - select the image file location and the recorder, choose "BURN"):

RECOMMENDED: http://software.lsoft.net/Iso-burner.zip

alternative:

http://www.bitdefender.com/files/KnowledgeBase/file/Iso-burner.zip /http://www.bitdefender.com/files/Kn...Iso-burner.zip /http://www.bitdefender.com/files/Kn...Iso-burner.zip

[how to SCAN USING THE RESCUE CD]

1. Insert the BitDefender Rescue CD into your CD drive and restart your computer. Select any options required to start (boot) from the CD (this procedure is slightly different depending on your motherboard manufacturer - for more information you have to check the motherboard product manual);

2. Make sure that the network cable is plugged and the system is connected to

the internet;

3. Choose to "Start knoppix" when you are presented with the boot menu (if you do not choose within 30 seconds the computer will continue booting normally);

4. The loading process will commence and text will scroll on the screen; During this time the environment is loaded and BitDefender will perform a signature update; If the process seems to hang more than 10 minutes reboot the computer and try again.

5. BitDefender will start scanning the content of your computer as soon as the Knoppix is loaded ; The results will be displayed when the scan is completed.

Thank you .

javachina

Simple solution:

I had the same problem, and BitDefender cannot remove those.

However, I had a hint when I tried to hand remove one affected file. Then I realized why? Some bad intruder is logged into my computer.

Then I know what to do:

1) disconnect from internet

2) restart the computer

3) do a full scan without connect to the internet

4) BitDefender can remove those.

I still have one problem, scan after scan, these 2 deleted always came back, do not know why:

C:\System Volume Information\_restore{38CD8A46-037E-418E-AACF-DD7968E4D008}\RP10\A0010504.vbs Generic.ScriptWorm.2B7AE718 Deleted

C:\System Volume Information\_restore{38CD8A46-037E-418E-AACF-DD7968E4D008}\RP10\A0010505.inf=](unicode) VBS.Pica.E@mm Deleted

Any ideas?

javachina

If my guess was correct, it seems BitDefender cannot defend my computer from intruders illegal log in. " />" />

I wish I were wrong....

Alex Stanciu

Hello javachina ,

The files that were detected as infected are some system restore points that could not be deleted , due to the nature of the malware that were infected with . In order to remove these infected files , you will have to perform the instructions that you will find at the next link : http://kb.bitdefender.com/KB2 .

Thank you .

tcdwyer

Hello just_coll and Nathan Fleck ,

We have forwarded the reports submitted to my colleagues from the Virus Analysis team . Until we receive a response from them we recommend you to follow the steps bellow and try to run a scan and delete the infections using our Rescue Cd . Here is what you have to do :

1. Boot the computer using the Rescue CD;

2. Allow BitDefender to perform a scan;

3. Go to the mounted partition (the Hard Disk Part. icon) then browse and delete the items detected as infected by the BitDefender scan by right clicking then selecting "Delete" from the File/Dir submenu.

In order to check whether the virus removal procedure has succeeded, we recommend another complete scan of your computer with BitDefender (from the Windows environment).

[how to CREATE A RESCUE CD]

In order to create the BitDefender Rescue CD you have to first download the latest image (the .iso file) from:

<a href="http://download.bitdefender.com/rescue_cd/" target="_blank">http://download.bitdefender.com/rescue_cd/ </a>and burn it on a CD or DVD using a tool of your choice;

The freeware ISO Burner can be used to create the disc (save and extract the tool to a location of your choice, start IsoBurner.exe, if not already set - select the image file location and the recorder, choose "BURN"):

RECOMMENDED: http://software.lsoft.net/Iso-burner.zip

alternative:

http://www.bitdefender.com/files/KnowledgeBase/file/Iso-burner.zip /http://www.bitdefender.com/files/Kn...Iso-burner.zip /http://www.bitdefender.com/files/Kn...Iso-burner.zip

[how to SCAN USING THE RESCUE CD]

1. Insert the BitDefender Rescue CD into your CD drive and restart your computer. Select any options required to start (boot) from the CD (this procedure is slightly different depending on your motherboard manufacturer - for more information you have to check the motherboard product manual);

2. Make sure that the network cable is plugged and the system is connected to

the internet;

3. Choose to "Start knoppix" when you are presented with the boot menu (if you do not choose within 30 seconds the computer will continue booting normally);

4. The loading process will commence and text will scroll on the screen; During this time the environment is loaded and BitDefender will perform a signature update; If the process seems to hang more than 10 minutes reboot the computer and try again.

5. BitDefender will start scanning the content of your computer as soon as the Knoppix is loaded ; The results will be displayed when the scan is completed.

Thank you .

I am unable to reboot using this cd